I've seen a few references to this when searching the lists and mention of 
enhancements to later versions of freeipa to allow setting certain users to 
have passwords that don't expire.

I'm on rhel6, which has an older freeipa, and I cant see it being updated 
anytime soon. So I thought I'd share what I did to work around this.

Scenario: setup a user account with a password that doesn't expire. Example: an 
account with credentials to bind to ldap to do searches.

Created a user "ldapbind" in freeipa.
Created a user group in freeipa: service_accounts
Added ldapbind as a member of service_accounts
Created a new password policy in freeipa: service_accounts
Replicated the same settings in the service_accounts password policy as per the 
default global_policy with the exception of "Max Lifetime", which, instead of 
90 days, I set to 7300 days.
The service_accounts policy was created with priority 0 (same as 
global_policy). All users who don't belong to the service_accounts group will 
get the standard 90 day expiry from the global_policy. Users who do belong to 
the service_accounts group get the service_accounts password policy.

This seems to be a valid workaround for me. Hope it helps others.



Freeipa-users mailing list

Reply via email to