[Freeipa-users] password-expiration

[None via FreeIPA-users]

Hello,
in FreeIPA 4.5.4, how do you reset a user's  password expiration date?
Many thanks.
Best regards,
Philippe
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Password expiration oddness

[Yuri Krysko via FreeIPA-users]

Hello All,

I have a user in our FreeIPA domain, whose password according to the applied 
policy (displayed in the user properties UI ) should have expired ~ 2 months 
ago, but it never did, nor did it force the user to reset it. The below LDAP 
user attributes show old data and all in accordance with the password policy. 
The user is still able to authenticate to the applications using LDAP 
connection against the FreeIPA servers. The krblastsuccessfulauth gets updated 
every time the user logs in. I assume if I force-reset the user’s password, it 
will go back to normal. However, I’d like to understand how to explain such a 
bizarre behavior and avoid it in the future.

User password expiration: 20190305034410Z
krblastpwdchange: 20190104034410Z
krblastsuccessfulauth: 20190501213547Z


Thanks,
Yuri





LEGAL DISCLAIMER: M.C. Dean, Inc. and its subsidiaries considers this e-mail 
and any files transmitted with it to be protected, proprietary or privileged 
information intended solely for the use of the named recipient(s). Any 
disclosure of this material or the information contained herein, in whole or in 
part, to anyone outside of the intended recipient or affiliates is strictly 
prohibited. M. C. Dean, Inc. accepts no liability for the content of this 
e-mail or for the consequences of any actions taken on the basis of the 
information contained in it, unless that information is subsequently confirmed 
in writing. Employees of M.C. Dean, Inc. are instructed not to infringe on any 
rights of the recipient; any such communication violates company policy. If you 
are not the intended recipient, any disclosure, copying, distribution, or 
action taken or omitted in reliance on this information is strictly prohibited 
by M.C. Dean, Inc.; please notify the sender immediately by return e-mail, 
delete this communication and destroy all copies.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Password Expiration and direct LDAP calls

[Jeremy Utley via FreeIPA-users]

Hello to the mailing list!

We are running FreeIPA to handle authentication, and having an issue.  We
have a few tools that can not use the full IPA stack (PAM/SSSD/Kerberos),
but instead have to talk to the underlying LDAP server directly.  The
problem we are facing is when user passwords expire, those users are still
granted access to these tools that only use LDAP.  In researching this
issue, I ran into https://pagure.io/freeipa/issue/1539 - which seems to be
related.  Is this still a known issue?  Is there any way around it (like
being able to automatically disable any user who's password has been
expired for a certain period of time?  This is within a PCI-compliant
infrastructure, so we have to make sure we cover all bases.

Thanks for any help you can give!

Jeremy Utley
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org