On 09/14/2012 02:33 PM, Ott, Dennis wrote: > > There seems to be nothing in the documentation about a user being able > to initiate a password change dialogue after their password has > expired, yet it seems that one is able to do just that. There is a > value in the ldap store, passwordGraceLimit, which is initialized to > zero. I have modified that value but it seems to have no effect. > > > > I would like to limit this ability to just a few days, or > alternatively, completely lock out the account once the password has > expired. > > > > Does anyone have any insight as to how to do this? If not, is it > planned for a future release? > > > > I suppose I could look at a script running daily that would lock the > account if the user's password has expired in the last X hours, but I > was hoping for something builtin. > > > > Any help is appreciated. > > > AFAIR this is the first request of this kind. We allow to change the password even after expiration. The main reason is that newly created accounts need to change passwords so they are marked as immediately expired. But it might take some time for user to actually log into the system for the first time this is why we never thought about the use case described. So I suspect we do not have any grace period enforced.
It might be a bug. Simo, what do you think ? > > > Dennis > > > > _______________________________________________ > Freeipa-users mailing list > Freeipaemail@example.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/
_______________________________________________ Freeipa-users mailing list Freeipafirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/freeipa-users