On 03/06/2014 08:10 AM, Bret Wortman wrote:
Just found with some fresh Googling an email from Rob recommending setting the max to 5000. I'll try that.


Just make sure it is not after 2038 because Kerberos uses 32 bit time that rolls over in Feb of 2038.



On 03/06/2014 08:08 AM, Bret Wortman wrote:
Is there a way to set a password to not expire? I thought I read somewhere that 0 did that, but apparently not.

On 03/06/2014 07:55 AM, Sumit Bose wrote:
On Thu, Mar 06, 2014 at 07:39:15AM -0500, Bret Wortman wrote:
Strange behavior now with our passwords (and we still haven't solved
our problem with the "ipa" command, but at least with script, we
have a workaround):

I noticed yesterday morning that my password, which has the
following policy, was going to expire in 3 days so I changed it.

Max lifetime (days) : 0
I think the behaviour is expected with this maximal lifetime.

bye,
Sumit

Min lifetime (hours) : 0
History size (number of passwords): 0
Character classes: 2
Min length: 8
Max failures: 4
Failure reset interval (seconds): 60
Lockout duration (seconds): 60

The IPA web UI immediately began reporting in red that "Your
password expires in -1 days."

This morning, I ran "kinit":

$ kinit
Password for br...@damascusgrp.com:
Password expired.  You must change it now.
Enter new password:
Enter it again:
Warning: Your password wille xpire in less than one hour on Thu 06
Mar 2014 06:45:48 AM EST
$

What's up? I'd like to solve this before it bites any of my users,
though most have a policy that looks more like this:

Max lifetime (days) : 180
Min lifetime (hours) : 1
History size (number of passwords): 0
Character classes: 2
Min length: 8
Max failures: 6
Failure reset interval (seconds): 60
Lockout duration (seconds): 600


--
*Bret Wortman*

http://damascusgrp.com/
http://about.me/wortmanbret



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users




_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


--
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to