On 12/09/2014 08:43 PM, Thomas Lau wrote:
Hi All,

FreeIPA Default is using 60days password expiry, how could I change it?

You go to password policies and change the global password policy.
You change MAX lifetime.
This is a global setting it will apply to new passwords/keytabs when they are changed next time.
You can create other policies and apply them to groups it you need.


Also, for existing accounts, can I just change krbPasswordExpiration
on LDAP?

I think the answer is yes.

anywhere else I need to change?

I think the answer is no

do I need to generate keytab
on Kerberos to activate new expiry date?

If you change the expiration in the attribute then no.

--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to