On 12/09/2014 08:43 PM, Thomas Lau wrote:
Hi All,

FreeIPA Default is using 60days password expiry, how could I change it?

You go to password policies and change the global password policy.
You change MAX lifetime.
This is a global setting it will apply to new passwords/keytabs when they are changed next time.
You can create other policies and apply them to groups it you need.

Also, for existing accounts, can I just change krbPasswordExpiration
on LDAP?

I think the answer is yes.

anywhere else I need to change?

I think the answer is no

do I need to generate keytab
on Kerberos to activate new expiry date?

If you change the expiration in the attribute then no.

Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to