Hi,

Thank, this brought me further.

I don't see that attribute while kinit as admin.

When I use an ldap editor and login ad DM on my full cn domain I can
get into kerberos => My DN => cn=global policy. When when I set the
krbMaxPwdLife very high this doesn't matter, I need to higher up the
first calcuation...

I need the global kerberos calculation time for that, but where is it located ?

That would solve my issue for sure!





> On 02/05/2015 08:32 AM, Matt . wrote:
>>
>> HI,
>>
>> I'm already doing so without any luck. If you remember something,
>> would be nice to know!
>>
>> So it should be possible to do still ?
>
>
> Do the
> ipa user-show --raw, there will be a time stamp. It is krbPasswordExpiration
> attribute. It will be set to the user creation time (or something like, i.e.
> in the past).
> I think you can use ipa user-mod --setaddr... to set it to a value into the
> future.
>
>
>>
>> 2015-02-05 14:26 GMT+01:00 Dmitri Pal <d...@redhat.com>:
>>>
>>> On 02/05/2015 07:59 AM, Matt . wrote:
>>>>
>>>> Hi,
>>>>
>>>> OK, but as far as I understand we made some change, using a
>>>> commandline command which I cannot remember or find, which goes around
>>>> the password policy, or the attribute you talk about, when you add a
>>>> user.
>>>>
>>>> Can I change that globally? As we did it seems... but we were testing
>>>> so much back those days that it seems to be lost or so.
>>>
>>>
>>> I do not remember the detils from top of my head. You can probably try to
>>> search the mail archives.
>>>
>>>>
>>>> Thanks,
>>>>
>>>> Matt
>>>>
>>>> 2015-02-05 13:21 GMT+01:00 Dmitri Pal <d...@redhat.com>:
>>>>>
>>>>> On 02/05/2015 05:54 AM, Matt . wrote:
>>>>>>
>>>>>> In the past we have done some testsetups with password expiring after
>>>>>> we added a user, at the moment I have difficulties with this on 4.1.2
>>>>>>
>>>>>> What I need is the following:
>>>>>>
>>>>>> - We add a user using json/kinit
>>>>>> - The user is added in the right way
>>>>>> - tThe user should be able to use his set password by the admin (at
>>>>>> least
>>>>>> ldap)
>>>>>>
>>>>>> At the moment the password is expired directly and I tried adding the
>>>>>> user with min/max lifetime to 0/0 which didn't work out. Als 0/500
>>>>>> doesn't seem to fix my issue.
>>>>>>
>>>>>> I thought we had to do a little but more to accomplish this, but I'm
>>>>>> not able to find this (anymore)
>>>>>>
>>>>>> Does someone have a clue how to fix this ? I'm quite sure this is
>>>>>> possible.
>>>>>>
>>>>>> Thanks,
>>>>>>
>>>>>> Matt
>>>>>>
>>>>> It was always the feature of IPA to require password change on the
>>>>> first
>>>>> login after it was created.
>>>>> If you do not want it to be expired you need to change the expiration
>>>>> attribute of the account not min max life.
>>>>>
>>>>> --
>>>>> Thank you,
>>>>> Dmitri Pal
>>>>>
>>>>> Sr. Engineering Manager IdM portfolio
>>>>> Red Hat, Inc.
>>>>>
>>>>> --
>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>> Go To http://freeipa.org for more info on the project
>>>
>>>
>>>
>>> --
>>> Thank you,
>>> Dmitri Pal
>>>
>>> Sr. Engineering Manager IdM portfolio
>>> Red Hat, Inc.
>>>
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
>

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to