Great! Btw +1 for running on IPA 3.3.3, it has much more to offer than RHEL/CentOS 6.x one.
Martin On 09/03/2014 06:08 PM, Zip Ly wrote: > @Martin > > Ah that explains everything. We were using centos 6.5 + ipa 3.0.0 > Now with a new test setup centos 7 + ipa 3.3.3, it works just as we wanted. > > Thank all for the help! > > > On Tue, Sep 2, 2014 at 5:19 PM, Martin Kosek <mko...@redhat.com> wrote: > >> On 09/02/2014 10:42 AM, Zip Ly wrote: >>> @Martin >>> >>> The second admin is my service account. I use this account to communicate >>> with our webapplication (it uses keytab and post/curl json to ipa). I can >>> add users without a problem. But when it comes to changing password, the >>> password is expired immediately. >>> >>> I have only one password policy and that's the 'global_policy'. The >>> --maxlife you mentioned only affect this policy. If I use this service >>> account to change the user password, the policy is ignored just as stated >>> in the ipa wiki. Even if I set the --maxlife to 200, if the password is >>> being resetted by this first admin, then the expire date is set to 90 >> days >>> or expired immediately by the second admin/service account. >>> >>> That's why I want to know how to change this 90 days and also apply it >> for >>> the service account. >> >> What version of FreeIPA do you use? Maybe you are hitting >> https://fedorahosted.org/freeipa/ticket/3968 >> that we fixed in FreeIPA 3.3.3. >> >> Martin >> > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project