On 02/05/2015 01:21 PM, Dmitri Pal wrote:
> On 02/05/2015 05:54 AM, Matt . wrote:
>> In the past we have done some testsetups with password expiring after
>> we added a user, at the moment I have difficulties with this on 4.1.2
>>
>> What I need is the following:
>>
>> - We add a user using json/kinit
>> - The user is added in the right way
>> - tThe user should be able to use his set password by the admin (at least 
>> ldap)
>>
>> At the moment the password is expired directly and I tried adding the
>> user with min/max lifetime to 0/0 which didn't work out. Als 0/500
>> doesn't seem to fix my issue.
>>
>> I thought we had to do a little but more to accomplish this, but I'm
>> not able to find this (anymore)
>>
>> Does someone have a clue how to fix this ? I'm quite sure this is possible.
>>
>> Thanks,
>>
>> Matt
>>
> It was always the feature of IPA to require password change on the first login
> after it was created.

Yup. You can do some more reading here:
http://www.freeipa.org/page/New_Passwords_Expired

> If you do not want it to be expired you need to change the expiration 
> attribute
> of the account not min max life.

Not sure what you mean now. But the administratively set passwords are always
expired from the beginning, so the user has to change it. Then, the password
policy applies.

When you want to have non-expired passwords when added via some 3rd password
management service, you would need to set it's principal as password
synchronization agent (see the referred wiki page).

Martin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to