On 09/05/2012 10:53 AM, Rob Crittenden wrote: > Dale Macartney wrote: >> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> >> On 05/09/12 13:39, Rob Crittenden wrote: >>> Dale Macartney wrote: >>>> >>>> -----BEGIN PGP SIGNED MESSAGE----- >>>> Hash: SHA1 >>>> >>>> Afternoon all >>>> >>>> I have a demo lab set up with RHEV 3.0 and IPA running on RHEL 6.3 ( >>>> ipa-server-2.2-16) >>>> >>>> I have an api script that handles all my deployments and I am >>>> trying to >>>> set up a role account for my script to run within a jenkins >>>> environment. >>>> >>>> I have created an ldap sysaccount, however that doesn't appear in the >>>> RHEV users list when I do a search. So its clear its looking for >>>> specific IPA users. >>>> >>>> Is there a way (or on the roadmap), to create service/role accounts in >>>> IPA where the password doesn't expire? >>>> >>>> I'm trying to avoid scenarios like this >>>> >>>> https://access.redhat.com/knowledge/solutions/67562 >>>> >>>> Any comments / suggestions are welcome >>>> >>>> Thanks everyone >>>> >>>> Dale >>>> >>> >>> A work-around is to set krbpasswordexpiration of the user somewhere >> far in the future to prevent expiration. >> That'll work.. Do I need to do anything fancy though? I tried running >> the below on a new user called rhev-build but it keeps erroring out. I >> know I have a current TGT otherwise I wouldn't be able to add the user >> in the first place. >> >> [root@ds01 ~]# ipa user-mod rhev-build >> --setattr=krbPasswordExpiration=20131231011529Z >> ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the >> 'krbPasswordExpiration' attribute of entry >> 'uid=rhev-build,cn=users,cn=accounts,dc=example,dc=com'. >> [root@ds01 ~]# > > We don't let admins muck with the expiration date. Please file an RFE > ticket if you'd like that capability.
https://fedorahosted.org/freeipa/ticket/3062 > > You'll have to resort to ldapmodify: > > $ ldapmodify -x -D 'cn=directory manager' -W > Enter LDAP Password: > dn: uid=tuser1,cn=users,cn=accounts,dc=example,dc=com > changetype: modify > replace: krbPasswordExpiration > krbPasswordExpiration: 20131231011529Z > > modifying entry "uid=tuser1,cn=users,cn=accounts,dc=example,dc=com" > > You might want to consider 2037 as the year. 2014 will be here before > you know it. > > rob > >> >>> >>> We have a ticket open on this, >> https://fedorahosted.org/freeipa/ticket/2111, currently targeted for IPA >> 3.3. >> Good to know its on its way. This is a demo lab so setting a long >> password expiry addresses my needs. >>> >>> rob >> >> > > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
