On 29/06/16 19:05, Roderick Johnstone wrote:

If I set a kerberos principal for a user to expire on a given date using:
ipa user-mod <user> --principal-expiration=DATE
is it possible to later remove this expiration date rather than just set
it to a time far in the future?


Roderick Johnstone

Hello Roderick,
AFAIK the only way to remove principal expiration at the time is remove krbPrincipalExpiration attribute from the user entry in DS.

$ kinit admin
Password for ad...@example.org
$ ldapmodify -Y GSSAPI
SASL/GSSAPI authentication started
SASL username: ad...@example.org
SASL data security layer installed.
changetype: modify
delete: krbprincipalexpiration
modifying entry "uid=tuser,cn=users,cn=accounts,dc=example,dc=org"

I think that it makes sense to expose this in API. Could you please file RFE (https://fedorahosted.org/freeipa/newticket)?

David Kupka

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to