On Fri, 2012-09-14 at 14:50 -0400, Dmitri Pal wrote: > On 09/14/2012 02:33 PM, Ott, Dennis wrote: > > There seems to be nothing in the documentation about a user being > > able to initiate a password change dialogue after their password has > > expired, yet it seems that one is able to do just that. There is a > > value in the ldap store, passwordGraceLimit, which is initialized to > > zero. I have modified that value but it seems to have no effect. > > > > > > > > I would like to limit this ability to just a few days, or > > alternatively, completely lock out the account once the password has > > expired. > > > > > > > > Does anyone have any insight as to how to do this? If not, is it > > planned for a future release? > > > > > > > > I suppose I could look at a script running daily that would lock the > > account if the user’s password has expired in the last X hours, but > > I was hoping for something builtin. > > > > > > > > Any help is appreciated. > > > > > > > > > AFAIR this is the first request of this kind. We allow to change the > password even after expiration. The main reason is that newly created > accounts need to change passwords so they are marked as immediately > expired. But it might take some time for user to actually log into the > system for the first time this is why we never thought about the use > case described. So I suspect we do not have any grace period enforced. > > It might be a bug. > > Simo, what do you think ?
Sounds like material for a Feature Request. I think setting a grace period is a good idea, and have the nice side effect of automatically locking new accounts if the user never use them. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list Freeipafirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/freeipa-users