I've seen a few references to this when searching the lists and mention of
enhancements to later versions of freeipa to allow setting certain users to
have passwords that don't expire.
I'm on rhel6, which has an older freeipa, and I cant see it being updated
anytime soon. So I thought I'd share what I did to work around this.
Scenario: setup a user account with a password that doesn't expire. Example: an
account with credentials to bind to ldap to do searches.
Created a user "ldapbind" in freeipa.
Created a user group in freeipa: service_accounts
Added ldapbind as a member of service_accounts
Created a new password policy in freeipa: service_accounts
Replicated the same settings in the service_accounts password policy as per the
default global_policy with the exception of "Max Lifetime", which, instead of
90 days, I set to 7300 days.
The service_accounts policy was created with priority 0 (same as
global_policy). All users who don't belong to the service_accounts group will
get the standard 90 day expiry from the global_policy. Users who do belong to
the service_accounts group get the service_accounts password policy.
This seems to be a valid workaround for me. Hope it helps others.
Freeipa-users mailing list