On 12/10/2014 03:36 AM, Dmitri Pal wrote:
> On 12/09/2014 08:43 PM, Thomas Lau wrote:
>> Hi All,
>> FreeIPA Default is using 60days password expiry, how could I change it?
> You go to password policies and change the global password policy.
> You change MAX lifetime.
> This is a global setting it will apply to new passwords/keytabs when they are
> changed next time.
> You can create other policies and apply them to groups it you need.

Right. BTW, the default is 90 days, not sixty:

# ipa pwpolicy-show
  Group: global_policy
  Max lifetime (days): 90
  Min lifetime (hours): 1
  History size: 0
  Character classes: 0
  Min length: 8
  Max failures: 6
  Failure reset interval: 60
  Lockout duration: 600

>> Also, for existing accounts, can I just change krbPasswordExpiration
>> on LDAP?
> I think the answer is yes.

You will need to be Directory Manager for such change. Normally, it is excepted
that the new password policy is applied on next user password change.

>> anywhere else I need to change?
> I think the answer is no


>> do I need to generate keytab
>> on Kerberos to activate new expiry date?
> If you change the expiration in the attribute then no.

More on password policies here:


Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to