[Freeipa-users] non-expiring password policy (or as close as I can come)
I have a need to have certain mission critical application accounts non-expiring (people don't log in directly, but if the accounts expire it could stop production jobs.) I've set Max lifetime (days) to 9 in the web interface, but here's what I see when I do ipa pwpolicy show: Group: application-accounts Max lifetime (days): 8639913600 Min lifetime (hours): 0 History size: 0 Character classes: 3 Min length: 8 Priority: 0 Max failures: 0 Failure reset interval: 0 Lockout duration: 0 I have a user that is a member of the application-accounts group and they reset their password yesterday, but their password is set to expire in three months: krbpasswordexpiration: 20130423220808Z krbpwdpolicyreference: cn=application-accounts Have I hit some maximum and I'm confusing IPA? Or do I completely misunderstand these entries? I also have a case open with RH on this, but I haven't heard anything back yet. If I get this solved through them I'll be sure to reply with results. Thanks, --Jason ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] non-expiring password policy (or as close as I can come)
KodaK wrote: I have a need to have certain mission critical application accounts non-expiring (people don't log in directly, but if the accounts expire it could stop production jobs.) I've set Max lifetime (days) to 9 in the web interface, but here's what I see when I do ipa pwpolicy show: Group: application-accounts Max lifetime (days): 8639913600 Min lifetime (hours): 0 History size: 0 Character classes: 3 Min length: 8 Priority: 0 Max failures: 0 Failure reset interval: 0 Lockout duration: 0 I have a user that is a member of the application-accounts group and they reset their password yesterday, but their password is set to expire in three months: krbpasswordexpiration: 20130423220808Z krbpwdpolicyreference: cn=application-accounts Have I hit some maximum and I'm confusing IPA? Or do I completely misunderstand these entries? I also have a case open with RH on this, but I haven't heard anything back yet. If I get this solved through them I'll be sure to reply with results. It is a 32-bit time problem. I'd set the maxlife no higher than 5000 for now. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] non-expiring password policy (or as close as I can come)
Steven Jones wrote: Hi, That could explain why hasnt worked for my service accounts. Is this fixed in 6.4? No, we are still working on the fix on the freeipa-devel list. rob regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Rob Crittenden [rcrit...@redhat.com] Sent: Friday, 25 January 2013 11:03 a.m. To: KodaK Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] non-expiring password policy (or as close as I can come) KodaK wrote: I have a need to have certain mission critical application accounts non-expiring (people don't log in directly, but if the accounts expire it could stop production jobs.) I've set Max lifetime (days) to 9 in the web interface, but here's what I see when I do ipa pwpolicy show: Group: application-accounts Max lifetime (days): 8639913600 Min lifetime (hours): 0 History size: 0 Character classes: 3 Min length: 8 Priority: 0 Max failures: 0 Failure reset interval: 0 Lockout duration: 0 I have a user that is a member of the application-accounts group and they reset their password yesterday, but their password is set to expire in three months: krbpasswordexpiration: 20130423220808Z krbpwdpolicyreference: cn=application-accounts Have I hit some maximum and I'm confusing IPA? Or do I completely misunderstand these entries? I also have a case open with RH on this, but I haven't heard anything back yet. If I get this solved through them I'll be sure to reply with results. It is a 32-bit time problem. I'd set the maxlife no higher than 5000 for now. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] non-expiring password policy (or as close as I can come)
On Thu, Jan 24, 2013 at 4:03 PM, Rob Crittenden rcrit...@redhat.com wrote: It is a 32-bit time problem. I'd set the maxlife no higher than 5000 for now. Thanks. Is there a way to apply this policy retroactively without requiring my users to reset passwords? --Jason ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] non-expiring password policy (or as close as I can come)
KodaK wrote: On Thu, Jan 24, 2013 at 4:03 PM, Rob Crittenden rcrit...@redhat.com wrote: It is a 32-bit time problem. I'd set the maxlife no higher than 5000 for now. Thanks. Is there a way to apply this policy retroactively without requiring my users to reset passwords? --Jason You'd have to manually tweak the password expiration in the records using ldapmodify. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] non-expiring password policy (or as close as I can come)
On 01/24/2013 11:17 PM, KodaK wrote: On Thu, Jan 24, 2013 at 4:03 PM, Rob Crittenden rcrit...@redhat.com wrote: It is a 32-bit time problem. I'd set the maxlife no higher than 5000 for now. Thanks. Is there a way to apply this policy retroactively without requiring my users to reset passwords? A calender will be shown to choose a date and time for simplicity if you download and use the Apache Directory Studio (http://directory.apache.org/studio/) to edit the krbPasswordExpiration attribute for an user account. It works well. Regards, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] non-expiring password policy (or as close as I can come)
On Thu, Jan 24, 2013 at 5:05 PM, Sigbjorn Lie sigbj...@nixtra.com wrote: A calender will be shown to choose a date and time for simplicity if you download and use the Apache Directory Studio (http://directory.apache.org/studio/) to edit the krbPasswordExpiration attribute for an user account. It works well. This is exactly what I ended up doing. I didn't have many, otherwise I would have rigged up an ldapmodify script. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] non-expiring password policy (or as close as I can come)
On Thu, Jan 24, 2013 at 10:51 PM, KodaK sako...@gmail.com wrote: I have a need to have certain mission critical application accounts non-expiring (people don't log in directly, but if the accounts expire it could stop production jobs.) Without knowing anything about this particular case, could you not use a service account autheticated with a keytab? I have succesfully used this for authenticating webapps to postgresql, you just need to schedule a renewal of the ticket in cron and use the $KRB5CCNAME environment variable to point to the right place. It was surprisingly easy and works very well. -- groet, natxo ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users