On 03/05/2013 10:28 PM, Brian Smith wrote: > I set the policy to 1 year and recreated the account. > > $ ipa pwpolicy-show --user=it-rc-test-faculty > Group: global_policy > Max lifetime (days): 365 > Min lifetime (hours): 1 > History size: 0 > Character classes: 0 > Min length: 8 > Max failures: 10 > Failure reset interval: 60 > Lockout duration: 600 > > Looks like a bug was filed for this about 9 months > ago: https://fedorahosted.org/freeipa/ticket/2795 > > I can also confirm the same behavior when the policy is set to 0 days, > less than 90 days, or if I create a separate password policy for users > in the ipausers group. The result is always 90 days. > > If the user updates the password themselves (after initial login) then > the password policy works and sets the expiry accordingly. > > The user that is adding the users with userpasswd set appears in the > passsyncmanagersdns list: > > passsyncmanagersdns: > uid=rc-user-svcacct,cn=users,cn=accounts,dc=rc,dc=usf,dc=edu >
Can you work around this issue? While it was filed 9 months ago it was found to not be that critical so we deferred it till later time. Patches are always welcome too :-) > > On Mon, Mar 4, 2013 at 2:40 PM, Rob Crittenden <rcrit...@redhat.com > <mailto:rcrit...@redhat.com>> wrote: > > Brian Smith wrote: > > Thanks for your response, and sorry for my late response. I'm > on RHEL6, > using the packages from the distribution > repository, ipa-server-2.2.0-17.el6_3.1.x86_64 > > My pwpolicy is set as such (in testing): > > $ ipa pwpolicy-show --all > dn: cn=global_policy,cn=rc.usf.edu <http://rc.usf.edu> > <http://rc.usf.edu>,cn=kerberos,dc=rc,dc=usf,dc=edu > > Group: global_policy > Max lifetime (days): 365 > Min lifetime (hours): 1 > History size: 0 > Character classes: 0 > Min length: 8 > Max failures: 10 > Failure reset interval: 60 > Lockout duration: 600 > objectclass: top, nsContainer, krbPwdPolicy > > > If I create an account and set the password using the > following JSON > string, against $server/ipa/json, say today, > > { > "method":"user_add", > "params":[ [], > { > "uid":"it-rc-test-faculty", > "homedirectory":"/home/i/it-rc-test-faculty", > "userpassword":"MyPasswordInTheClear", > "givenname":"RC TEST - Faculty", > "sn":"Service_Account" > }] > } > > I get a password expiry time like so: > > $ ipa user-show --all it-rc-test-faculty | grep > krbpasswordexpiration > krbpasswordexpiration: 20130602163523Z > > That's clearly not one year into the future, but more like 90 > days. > > Is there something else I'm missing or are we looking at a bug? > > > I still can't reproduce this. I tried from our 3.x branch and the > 2.2 bits on 6.3. > > Can you do: ipa pwpolicy-show --user=it-rc-test-faculty > > This will show the policy applied to that user. > > Might also check /var/log/dirsrv/slapd-REALM/errors for anything > suspicious. > > rob > > > Many thanks, > -Brian > > > On Tue, Feb 26, 2013 at 3:22 AM, Martin Kosek > <mko...@redhat.com <mailto:mko...@redhat.com> > <mailto:mko...@redhat.com <mailto:mko...@redhat.com>>> wrote: > > On 02/25/2013 04:38 PM, Brian Smith wrote: > > It seems that regardless of the global password expiry > setting, > that setting a > > password via the methods > > > > user-add > > passwd > > > > i will always have a password that expires in 90 days. I > followed the > > instructions here > http://freeipa.org/page/PasswordSynchronization > > > > to avoid the immediate expiry, but I need at least 180 > days for my > > configuration to work. > > > > Any help would be appreciated! > > > > -- > > Brian Smith > > Assistant Director > > Research Computing, University of South Florida > > 4202 E. Fowler Ave. SVC4010 > > Office Phone: +1 813 974-1467 > <tel:%2B1%20813%20974-1467> <tel:%2B1%20813%20974-1467> > > > Organization URL: http://rc.usf.edu > > > > Hello Brian, > > Updating maximum password expiration time with "ipa > pwpolicy-mod" > affects only > new passwords, i.e. password that you already changed will > have the > old lifetime. > > When I tested this on Fedora 18, password change worked > for me: > > # ipa pwpolicy-mod --maxlife 180 > Group: global_policy > Max lifetime (days): 180 > Min lifetime (hours): 1 > History size: 0 > Character classes: 0 > Min length: 8 > Max failures: 6 > Failure reset interval: 60 > Lockout duration: 600 > > # ipa user-add --first=Foo --last=Bar fbar > ----------------- > Added user "fbar" > ----------------- > User login: fbar > First name: Foo > Last name: Bar > Full name: Foo Bar > Display name: Foo Bar > Initials: FB > Home directory: /home/fbar > GECOS field: Foo Bar > Login shell: /bin/sh > Kerberos principal: f...@example.com > <mailto:f...@example.com> <mailto:f...@example.com > <mailto:f...@example.com>> > Email address: f...@example.com > <mailto:f...@example.com> <mailto:f...@example.com > <mailto:f...@example.com>> > > UID: 1758200001 > GID: 1758200001 > Password: False > Member of groups: ipausers > Kerberos keys available: False > # ipa passwd fbar > New Password: > Enter New Password again to verify: > --------------------------------------- > Changed password for "f...@example.com > <mailto:f...@example.com> <mailto:f...@example.com > <mailto:f...@example.com>>" > > --------------------------------------- > > $ ssh f...@ipa.client.fqdn > f...@ipa.client.fqdn's password: > Password expired. Change your password now. > Last login: Tue Feb 26 09:16:39 2013 from 10.0.0.1 > WARNING: Your password has expired. > You must change your password now and login again! > Changing password for user fbar. > Current Password: > New password: > Retype new password: > Your password will expire in 180 day(s). <<<<<<<<<<<<<<< > passwd: all authentication tokens updated successfully. > Connection to ipa.client.fqdn closed. > > Does this usecase work for you or are you hitting a bug? > > > As for the warning about expiring password, this is a bug > in sssd > component > which was already fixed upstream: > > https://fedorahosted.org/sssd/ticket/1808 > > Martin > > > > > -- > Brian Smith > Assistant Director > Research Computing, University of South Florida > 4202 E. Fowler Ave. SVC4010 > Office Phone: +1 813 974-1467 <tel:%2B1%20813%20974-1467> > Organization URL: http://rc.usf.edu > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com> > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > > -- > Brian Smith > Assistant Director > Research Computing, University of South Florida > 4202 E. Fowler Ave. SVC4010 > Office Phone: +1 813 974-1467 > Organization URL: http://rc.usf.edu > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users