Re: [Freeipa-users] IdM Password Expiration
On Wed, 2015-08-05 at 10:31 +0200, David Kupka wrote: > On 04/08/15 17:01, Robert Locke wrote: > > Hey folks, > > > > I have been using the following to adjust the Password Expiration of > > accounts in IdM/IPA: > > echo "$ADMIN_PASS" | kinit admin > > echo -e "dn: > > uid=rheluseri,cn=users,cn=accounts,dc=example,dc=com\nchangetype: modify > > \nreplace: krbPasswordExpiration\nkrbPasswordExpiration: 2030010100Z > > \n" | ldapmodify -x -D 'cn=Directory Manager' -w $ADMIN_PASS > > > > This has worked nicely for me. > > > > My "new" problem is that the admin account itself expires after 90 days. > > I thought since ldapsearch does show the admin account, that simply > > substituting the uid might work. > > > > echo -e "dn: uid=admin,cn=users,cn=accounts,dc=example,dc=com > > \nchangetype: modify\nreplace: krbPasswordExpiration > > \nkrbPasswordExpiration: 2030010100Z\n" | ldapmodify -x -D > > 'cn=Directory Manager' -w $ADMIN_PASS > > > > My attempts to adjust the admin account in this similar fashion have > > been not surprisingly unsuccessful. > > > > Suggestions/pointers? > > > > --Rob > > > > > > > Hello, > I just tried to set krbPasswordExpiration attribute for admin and it > worked as expected: > > $ ipa user-show admin --all >dn: uid=admin,cn=users,cn=accounts,dc=example,dc=com >User login: admin >... >krbpasswordexpiration: 2020010100Z >... > > $ echo -e "dn: > uid=admin,cn=users,cn=accounts,dc=example,dc=com\nchangetype: > modify\nreplace: krbPasswordExpiration\nkrbPasswordExpiration: > 2030010100Z\n" | ldapmodify -x -D 'cn=Directory Manager' -w $DM_PASS > modifying entry "uid=admin,cn=users,cn=accounts,dc=example,dc=com" > > $ ipa user-show admin --all >dn: uid=admin,cn=users,cn=accounts,dc=example,dc=com >User login: admin >... >krbpasswordexpiration: 2030010100Z >... > > Could you provide more information about what is failing? Only thing > that comes to my mind is that you're using $ADMIN_PASS variable where > Directory Manager password is required but I know it's just name of the > variable. > You're right. It was my mistake. My reality is that $ADMIN_PASS is used to set both the Directory Manager and admin passwords initially during ipa-server-install. When I was faced with having to change the admin password, I failed to realize that the Directory Manager password had remained the same, so all my "testing" was simply using the wrong new password of admin when I simply needed to use the old password of Directory Manager. Sorry for the noise. And thanks for checking it on me. --Rob -- Robert Locke Google Voice: (203) 794-6007 Senior Curriculum Developer rlo...@redhat.com GnuPG: A334 CAB1 451A 6083 CDD8 40FE A5DE E418 82E0 0780 signature.asc Description: This is a digitally signed message part -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IdM Password Expiration
On 04/08/15 17:01, Robert Locke wrote: Hey folks, I have been using the following to adjust the Password Expiration of accounts in IdM/IPA: echo "$ADMIN_PASS" | kinit admin echo -e "dn: uid=rheluseri,cn=users,cn=accounts,dc=example,dc=com\nchangetype: modify \nreplace: krbPasswordExpiration\nkrbPasswordExpiration: 2030010100Z \n" | ldapmodify -x -D 'cn=Directory Manager' -w $ADMIN_PASS This has worked nicely for me. My "new" problem is that the admin account itself expires after 90 days. I thought since ldapsearch does show the admin account, that simply substituting the uid might work. echo -e "dn: uid=admin,cn=users,cn=accounts,dc=example,dc=com \nchangetype: modify\nreplace: krbPasswordExpiration \nkrbPasswordExpiration: 2030010100Z\n" | ldapmodify -x -D 'cn=Directory Manager' -w $ADMIN_PASS My attempts to adjust the admin account in this similar fashion have been not surprisingly unsuccessful. Suggestions/pointers? --Rob Hello, I just tried to set krbPasswordExpiration attribute for admin and it worked as expected: $ ipa user-show admin --all dn: uid=admin,cn=users,cn=accounts,dc=example,dc=com User login: admin ... krbpasswordexpiration: 2020010100Z ... $ echo -e "dn: uid=admin,cn=users,cn=accounts,dc=example,dc=com\nchangetype: modify\nreplace: krbPasswordExpiration\nkrbPasswordExpiration: 2030010100Z\n" | ldapmodify -x -D 'cn=Directory Manager' -w $DM_PASS modifying entry "uid=admin,cn=users,cn=accounts,dc=example,dc=com" $ ipa user-show admin --all dn: uid=admin,cn=users,cn=accounts,dc=example,dc=com User login: admin ... krbpasswordexpiration: 2030010100Z ... Could you provide more information about what is failing? Only thing that comes to my mind is that you're using $ADMIN_PASS variable where Directory Manager password is required but I know it's just name of the variable. -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] IdM Password Expiration
Hey folks, I have been using the following to adjust the Password Expiration of accounts in IdM/IPA: echo "$ADMIN_PASS" | kinit admin echo -e "dn: uid=rheluseri,cn=users,cn=accounts,dc=example,dc=com\nchangetype: modify \nreplace: krbPasswordExpiration\nkrbPasswordExpiration: 2030010100Z \n" | ldapmodify -x -D 'cn=Directory Manager' -w $ADMIN_PASS This has worked nicely for me. My "new" problem is that the admin account itself expires after 90 days. I thought since ldapsearch does show the admin account, that simply substituting the uid might work. echo -e "dn: uid=admin,cn=users,cn=accounts,dc=example,dc=com \nchangetype: modify\nreplace: krbPasswordExpiration \nkrbPasswordExpiration: 2030010100Z\n" | ldapmodify -x -D 'cn=Directory Manager' -w $ADMIN_PASS My attempts to adjust the admin account in this similar fashion have been not surprisingly unsuccessful. Suggestions/pointers? --Rob -- Robert Locke Google Voice: (203) 794-6007 Senior Curriculum Developer rlo...@redhat.com GnuPG: A334 CAB1 451A 6083 CDD8 40FE A5DE E418 82E0 0780 signature.asc Description: This is a digitally signed message part -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
