Dmitri Pal wrote:
On 02/10/2013 11:22 PM, Rajnesh Kumar Siwal wrote:
The details are as follows:-

[root@ipa1 ~]# ipa pwpolicy-show
   Group: global_policy
   Max lifetime (days): 90
   Min lifetime (hours): 1
   History size: 0
   Character classes: 0
   Min length: 12
   Max failures: 6
   Failure reset interval: 60
   Lockout duration: 600
[root@ipa1 ~]# ipa user-show siwal --all --raw
   dn: uid=siwal,cn=users,cn=accounts,dc=xyz,dc=dmz
   uid: siwal
   sn: Kumar
   cn: siwal
   homedirectory: /home/siwal
   loginshell: /bin/bash
   krbprincipalname: si...@xyz.dmz
   uidnumber: 522
   gidnumber: 522
   nsaccountlock: False
   has_password: True
   has_keytab: True
   ipauniqueid: 65775332-712f-11e2-b3cc-000c298a58a4
   krblastpwdchange: 20130208035343Z
   krblastsuccessfulauth: 20130208035929Z
   krbpasswordexpiration: 20130208035343Z
   memberof: cn=ipausers,cn=groups,cn=accounts,dc=xyz,dc=dmz
   memberofindirect: cn=software,cn=groups,cn=accounts,dc=xyz,dc=dmz
   objectclass: krbticketpolicyaux
   objectclass: ipaobject
   objectclass: organizationalperson
   objectclass: top
   objectclass: ipasshuser
   objectclass: inetorgperson
   objectclass: person
   objectclass: inetuser
   objectclass: krbprincipalaux
   objectclass: shadowaccount
   objectclass: posixaccount
   objectclass: ipaSshGroupOfPubKeys
   shadowlastchange: 14879
   shadowmax: 99999
   shadowmin: 0
   shadowwarning: 7


Shadow? Is this normal for IPA accounts? I do not remember seeing it before.


They have added the shadowAccount objectclass. I also don't see a password policy reference in this user.

Does ipa pwpolicy-show --user=siwal return anything?

You might check /var/lig/dirsrv/slapd-YOUR_REALM/errors for any issues.

And note that there is a minimum lifetime on passwords so they can't be changed too quickly.

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to