Martin René Mortensen wrote:
> Hi,
> I am setting up an LDAP connection from our Identity Management system
> which provisions our IPA servers with fresh users and groups.
> I set it up pretty nice so far, with some added privileges for change
> admin passwords and avoiding password resets.
> But when we create a brand new user with a password, IPA resets the
> krbPasswordExpiration to match the IPA password policy - but we have
> another policy in our central identity management which gets must get
> set at user create time.
> So the question is:
> Is there any way I can avoid getting krbPasswordExpiration reset to
> match the password policy?

I assume you are binding via LDAP to manage the users in which case you
can use this to not automatically expire reset passwords:

> and a followup question:
> Is this the same with AD sync? passwords from AD gets synced, but
> expiration is determined by local password policies on the IPA servers?

You'd need to keep the password policies in sync between the two
systems. Once they are synced they are independent unless the password
is changed.


Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to