Ott, Dennis wrote:
There seems to be nothing in the documentation about a user being able
to initiate a password change dialogue after their password has expired,
yet it seems that one is able to do just that. There is a value in the
ldap store, passwordGraceLimit, which is initialized to zero. I have
modified that value but it seems to have no effect.

This value is not used by IPA.

I don't believe we have the ability to do this right now. As you suggest, some automation may be required to find expired passwords and lock them out.

I would like to limit this ability to just a few days, or alternatively,
completely lock out the account once the password has expired.

This would be difficult because administratively-reset accounts have their passwords expired to force users to set a new one (so that only the end-user knows their password). This would effectively lock everyone out.

Does anyone have any insight as to how to do this? If not, is it planned
for a future release?

No plans for this AFAIK. Feel free to file an enhancement request ticket on our Trac site,

I suppose I could look at a script running daily that would lock the
account if the user’s password has expired in the last X hours, but I
was hoping for something builtin.



Freeipa-users mailing list

Reply via email to