On 05/10/2012 03:11 PM, Simo Sorce wrote:
On Thu, 2012-05-10 at 03:58 +0400, free...@noboost.org wrote:
On Wed, May 09, 2012 at 01:21:39PM +0200, Petr Spacek wrote:
On 05/09/2012 03:31 AM, Dan Scott wrote:
On Tue, May 8, 2012 at 8:45 PM,<free...@noboost.org> wrote:
On Tue, May 08, 2012 at 09:43:13AM -0400, Rob Crittenden wrote:
Dan Scott wrote:
On Tue, May 8, 2012 at 1:55 AM,<free...@noboost.org> wrote:
Hi,
Spec:
Red Hat Enterprise Linux Server release 6.2 (Santiago)
ipa-admintools-2.1.3-9.el6.x86_64
ipa-client-2.1.3-9.el6.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
ipa-pki-common-theme-9.0.3-7.el6.noarch
ipa-python-2.1.3-9.el6.x86_64
ipa-server-2.1.3-9.el6.x86_64
ipa-server-selinux-2.1.3-9.el6.x86_64
Issue:
Firstly I'll declare someone must have seen this by now?
I've set the password policy to 99999;
[root@sysvm-ipa ~]# ipa pwpolicy-show
Group: global_policy
Max lifetime (days): 99999
Min lifetime (hours): 1
History size: 0
Character classes: 0
Min length: 6
Max failures: 6
Failure reset interval: 60
Lockout duration: 600
But old accounts are not getting the change at the ldap level, even
though IPA claims the expiry date has updated.
e.g.
[root@sysvm-ipa ~]# ipa pwpolicy-show --user=john
Group: global_policy
Max lifetime (days): 99999
Min lifetime (hours): 1
History size: 0
Character classes: 0
Min length: 6
Max failures: 6
Failure reset interval: 60
Lockout duration: 600
ldapsearch (command chopped)
# john, users, accounts, teratext.saic.com.au
dn: uid=john,cn=users,cn=accounts,dc=example,dc=com
krbPasswordExpiration: 20120506011529Z
So now when the user(s) logs in, I'm getting "password will expire in XX
days" messages.
Any ideas?
Can I globally update this somehow, otherwise I'll be re-typing
passwords for a while.
A password reset by admin always expires the password. I think once
the user first changes their password it will have the lifetime that
you specified.
You can force the expiration date using an ldapmodify command:
ldapmodify -x -D 'cn=directory manager' -W -h $IPA_SERVER -p 389 -vv
-f update_krbpasswordexpiration.ldif
Where the update_krbpasswordexpiration.ldif file contains:
dn: uid=$USERNAME,cn=users,cn=accounts,dc=example,dc=com
changetype: modify
replace: krbpasswordexpiration
krbpasswordexpiration: 20140202203734Z
You could do this as admin if you have a ticket so that you don't have
to enter the directory manager password.
This is great, thanks Dan.
BTW the equivalent command using a Kerberos ticket is:
$ ldapmodify -Y GSSAPI -h $IPA_SERVER -p 389 -vv -f
update_krbpasswordexpiration.ldif
rob
Thanks great advice, so just to clarify, do the rear numbers just
represent hours, seconds etc?
e.g. krbpasswordexpiration: 20150101203734Z
krbpasswordexpiration: 20150101 [20 37 34 ?] Z (20=hour,37=min,34=sec]?
Yep, and Z indicates GMT.
Question is:
1) Should we document that (and provide a hint in `ipa pwpolicy` output)?
OR
2) Should ipa pwpolicy do update for all affected principals in
LDAP? Just to prevent confusion?
I like variant 2, because variant 1 seems to be confusing to me.
Craig, what is user opinion?
Petr^2 Spacek
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
The thing that threw me was that "Max lifetime (days)" is not the actual expiry
date.
Once I realised that there was an ldap "krbPasswordExpiration" attribute which
I can
modify directly, then I fixed the issue for the whole company in about 10min :)
Documentation (my opinion):
* Full meaning for this attribute krbPasswordExpiration
* The difference between Max lifetime (days)& krbPasswordExpiration
* How to change ldap expiration entries.
It would be nice if you could open a ticket so we can track this RFE and
not forget about it.
Done 2 hours ago, I forget to report it :-)
https://fedorahosted.org/freeipa/ticket/2745
Thanks.
Simo.
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
