I am setting up an LDAP connection from our Identity Management system which provisions our IPA servers with fresh users and groups. I set it up pretty nice so far, with some added privileges for change admin passwords and avoiding password resets. But when we create a brand new user with a password, IPA resets the krbPasswordExpiration to match the IPA password policy - but we have another policy in our central identity management which gets must get set at user create time.

So the question is:
Is there any way I can avoid getting krbPasswordExpiration reset to match the password policy?

and a followup question:
Is this the same with AD sync? passwords from AD gets synced, but expiration is determined by local password policies on the IPA servers?

Martin R Mortensen
Linux Specialist

University of Copenhagen

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to