Re: [Freeipa-users] Password expiry when account provisioned/updated via JSON RPC

2013-03-06 Thread Brian Smith 
I'm going to dig into it further, hopefully produce a patch in the next few
days.  My work-around for right now is ldapmodifying
the krbPasswordExpiration attribute on the account after creation and
subsequent password updates.


On Wed, Mar 6, 2013 at 8:40 AM, Dmitri Pal  wrote:

>  On 03/05/2013 10:28 PM, Brian Smith wrote:
>
>  I set the policy to 1 year and recreated the account.
>
>  $ ipa pwpolicy-show --user=it-rc-test-faculty
>   Group: global_policy
>   Max lifetime (days): 365
>   Min lifetime (hours): 1
>   History size: 0
>   Character classes: 0
>   Min length: 8
>   Max failures: 10
>   Failure reset interval: 60
>   Lockout duration: 600
>
>  Looks like a bug was filed for this about 9 months ago:
> https://fedorahosted.org/freeipa/ticket/2795
>
>  I can also confirm the same behavior when the policy is set to 0 days,
> less than 90 days, or if I create a separate password policy for users in
> the ipausers group.  The result is always 90 days.
>
>  If the user updates the password themselves (after initial login) then
> the password policy works and sets the expiry accordingly.
>
>  The user that is adding the users with userpasswd set appears in the
> passsyncmanagersdns list:
>
>  passsyncmanagersdns:
> uid=rc-user-svcacct,cn=users,cn=accounts,dc=rc,dc=usf,dc=edu
>
>
> Can you work around this issue?
> While it was filed 9 months ago it was found to not be that critical so we
> deferred it till later time.
> Patches are always welcome too :-)
>
>
>
>
> On Mon, Mar 4, 2013 at 2:40 PM, Rob Crittenden wrote:
>
>> Brian Smith wrote:
>>
>>>  Thanks for your response, and sorry for my late response.  I'm on RHEL6,
>>> using the packages from the distribution
>>> repository, ipa-server-2.2.0-17.el6_3.1.x86_64
>>>
>>> My pwpolicy is set as such (in testing):
>>>
>>> $ ipa pwpolicy-show --all
>>>dn: cn=global_policy,cn=rc.usf.edu
>>>  ,cn=kerberos,dc=rc,dc=usf,dc=edu
>>>
>>>Group: global_policy
>>>Max lifetime (days): 365
>>>Min lifetime (hours): 1
>>>History size: 0
>>>Character classes: 0
>>>Min length: 8
>>>Max failures: 10
>>>Failure reset interval: 60
>>>Lockout duration: 600
>>>objectclass: top, nsContainer, krbPwdPolicy
>>>
>>>
>>> If I create an account and set the password using the following JSON
>>> string, against $server/ipa/json, say today,
>>>
>>> {
>>>   "method":"user_add",
>>>   "params":[ [],
>>> {
>>>   "uid":"it-rc-test-faculty",
>>>   "homedirectory":"/home/i/it-rc-test-faculty",
>>>   "userpassword":"MyPasswordInTheClear",
>>>   "givenname":"RC TEST - Faculty",
>>>   "sn":"Service_Account"
>>> }]
>>> }
>>>
>>> I get a password expiry time like so:
>>>
>>> $ ipa user-show --all it-rc-test-faculty | grep krbpasswordexpiration
>>> krbpasswordexpiration: 20130602163523Z
>>>
>>> That's clearly not one year into the future, but more like 90 days.
>>>
>>> Is there something else I'm missing or are we looking at a bug?
>>>
>>
>> I still can't reproduce this. I tried from our 3.x branch and the 2.2
>> bits on 6.3.
>>
>> Can you do: ipa pwpolicy-show --user=it-rc-test-faculty
>>
>> This will show the policy applied to that user.
>>
>> Might also check /var/log/dirsrv/slapd-REALM/errors for anything
>> suspicious.
>>
>> rob
>>
>>
>>> Many thanks,
>>> -Brian
>>>
>>>
>>> On Tue, Feb 26, 2013 at 3:22 AM, Martin Kosek >>  > wrote:
>>>
>>> On 02/25/2013 04:38 PM, Brian Smith wrote:
>>>  > It seems that regardless of the global password expiry setting,
>>> that setting a
>>>  > password via the methods
>>>  >
>>>  > user-add
>>>  > passwd
>>>  >
>>>  > i will always have a password that expires in 90 days.  I
>>> followed the
>>>  > instructions here http://freeipa.org/page/PasswordSynchronization
>>>  >
>>>  > to avoid the immediate expiry, but I need at least 180 days for my
>>>  > configuration to work.
>>>  >
>>>  > Any help would be appreciated!
>>>  >
>>>  > --
>>>  > Brian Smith
>>>  > Assistant Director
>>>  > Research Computing, University of South Florida
>>>  > 4202 E. Fowler Ave. SVC4010
>>>   > Office Phone: +1 813 974-1467 
>>>
>>>  > Organization URL: http://rc.usf.edu
>>>  >
>>>
>>> Hello Brian,
>>>
>>> Updating maximum password expiration time with "ipa pwpolicy-mod"
>>> affects only
>>> new passwords, i.e. password that you already changed will have the
>>> old lifetime.
>>>
>>> When I tested this on Fedora 18, password change worked for me:
>>>
>>> # ipa pwpolicy-mod --maxlife 180
>>>Group: global_policy
>>>Max lifetime (days): 180
>>>Min lifetime (hours): 1
>>>History size: 0
>>>Character classes: 0
>>>Min length: 8
>>>Max failures: 6
>>>Failure reset interval: 60
>>>Lockout duration: 600
>>>
>>> # ipa user-add --first=Foo --last=Bar fbar
>>> --

Re: [Freeipa-users] Password expiry when account provisioned/updated via JSON RPC

2013-03-06 Thread Dmitri Pal 
On 03/05/2013 10:28 PM, Brian Smith wrote:
> I set the policy to 1 year and recreated the account.
>
> $ ipa pwpolicy-show --user=it-rc-test-faculty
>   Group: global_policy
>   Max lifetime (days): 365
>   Min lifetime (hours): 1
>   History size: 0
>   Character classes: 0
>   Min length: 8
>   Max failures: 10
>   Failure reset interval: 60
>   Lockout duration: 600
>
> Looks like a bug was filed for this about 9 months
> ago: https://fedorahosted.org/freeipa/ticket/2795
>
> I can also confirm the same behavior when the policy is set to 0 days,
> less than 90 days, or if I create a separate password policy for users
> in the ipausers group.  The result is always 90 days.
>
> If the user updates the password themselves (after initial login) then
> the password policy works and sets the expiry accordingly.  
>
> The user that is adding the users with userpasswd set appears in the
> passsyncmanagersdns list:
>
> passsyncmanagersdns:
> uid=rc-user-svcacct,cn=users,cn=accounts,dc=rc,dc=usf,dc=edu
>

Can you work around this issue?
While it was filed 9 months ago it was found to not be that critical so
we deferred it till later time.
Patches are always welcome too :-)


>
> On Mon, Mar 4, 2013 at 2:40 PM, Rob Crittenden  > wrote:
>
> Brian Smith wrote:
>
> Thanks for your response, and sorry for my late response.  I'm
> on RHEL6,
> using the packages from the distribution
> repository, ipa-server-2.2.0-17.el6_3.1.x86_64
>
> My pwpolicy is set as such (in testing):
>
> $ ipa pwpolicy-show --all
>dn: cn=global_policy,cn=rc.usf.edu 
> ,cn=kerberos,dc=rc,dc=usf,dc=edu
>
>Group: global_policy
>Max lifetime (days): 365
>Min lifetime (hours): 1
>History size: 0
>Character classes: 0
>Min length: 8
>Max failures: 10
>Failure reset interval: 60
>Lockout duration: 600
>objectclass: top, nsContainer, krbPwdPolicy
>
>
> If I create an account and set the password using the
> following JSON
> string, against $server/ipa/json, say today,
>
> {
>   "method":"user_add",
>   "params":[ [],
> {
>   "uid":"it-rc-test-faculty",
>   "homedirectory":"/home/i/it-rc-test-faculty",
>   "userpassword":"MyPasswordInTheClear",
>   "givenname":"RC TEST - Faculty",
>   "sn":"Service_Account"
> }]
> }
>
> I get a password expiry time like so:
>
> $ ipa user-show --all it-rc-test-faculty | grep
> krbpasswordexpiration
> krbpasswordexpiration: 20130602163523Z
>
> That's clearly not one year into the future, but more like 90
> days.
>
> Is there something else I'm missing or are we looking at a bug?
>
>
> I still can't reproduce this. I tried from our 3.x branch and the
> 2.2 bits on 6.3.
>
> Can you do: ipa pwpolicy-show --user=it-rc-test-faculty
>
> This will show the policy applied to that user.
>
> Might also check /var/log/dirsrv/slapd-REALM/errors for anything
> suspicious.
>
> rob
>
>
> Many thanks,
> -Brian
>
>
> On Tue, Feb 26, 2013 at 3:22 AM, Martin Kosek
> mailto:mko...@redhat.com>
> >> wrote:
>
> On 02/25/2013 04:38 PM, Brian Smith wrote:
>  > It seems that regardless of the global password expiry
> setting,
> that setting a
>  > password via the methods
>  >
>  > user-add
>  > passwd
>  >
>  > i will always have a password that expires in 90 days.  I
> followed the
>  > instructions here
> http://freeipa.org/page/PasswordSynchronization
>  >
>  > to avoid the immediate expiry, but I need at least 180
> days for my
>  > configuration to work.
>  >
>  > Any help would be appreciated!
>  >
>  > --
>  > Brian Smith
>  > Assistant Director
>  > Research Computing, University of South Florida
>  > 4202 E. Fowler Ave. SVC4010
>  > Office Phone: +1 813 974-1467
>  
>
>  > Organization URL: http://rc.usf.edu
>  >
>
> Hello Brian,
>
> Updating maximum password expiration time with "ipa
> pwpolicy-mod"
> affects only
> new passwords, i.e. password that you already changed will
> have the
> old lifetime.
>
> When I tested this on Fedora 18, password change worked
> for me:
>
> # ipa pwpolicy-mod --maxlife 180
>Group: global_policy

Re: [Freeipa-users] Password expiry when account provisioned/updated via JSON RPC

2013-03-05 Thread Brian Smith 
I set the policy to 1 year and recreated the account.

$ ipa pwpolicy-show --user=it-rc-test-faculty
  Group: global_policy
  Max lifetime (days): 365
  Min lifetime (hours): 1
  History size: 0
  Character classes: 0
  Min length: 8
  Max failures: 10
  Failure reset interval: 60
  Lockout duration: 600

Looks like a bug was filed for this about 9 months ago:
https://fedorahosted.org/freeipa/ticket/2795

I can also confirm the same behavior when the policy is set to 0 days, less
than 90 days, or if I create a separate password policy for users in the
ipausers group.  The result is always 90 days.

If the user updates the password themselves (after initial login) then the
password policy works and sets the expiry accordingly.

The user that is adding the users with userpasswd set appears in the
passsyncmanagersdns list:

passsyncmanagersdns:
uid=rc-user-svcacct,cn=users,cn=accounts,dc=rc,dc=usf,dc=edu


On Mon, Mar 4, 2013 at 2:40 PM, Rob Crittenden  wrote:

> Brian Smith wrote:
>
>> Thanks for your response, and sorry for my late response.  I'm on RHEL6,
>> using the packages from the distribution
>> repository, ipa-server-2.2.0-17.el6_3.1.**x86_64
>>
>> My pwpolicy is set as such (in testing):
>>
>> $ ipa pwpolicy-show --all
>>dn: cn=global_policy,cn=rc.usf.edu
>> ,cn=**kerberos,dc=rc,dc=usf,dc=edu
>>
>>Group: global_policy
>>Max lifetime (days): 365
>>Min lifetime (hours): 1
>>History size: 0
>>Character classes: 0
>>Min length: 8
>>Max failures: 10
>>Failure reset interval: 60
>>Lockout duration: 600
>>objectclass: top, nsContainer, krbPwdPolicy
>>
>>
>> If I create an account and set the password using the following JSON
>> string, against $server/ipa/json, say today,
>>
>> {
>>   "method":"user_add",
>>   "params":[ [],
>> {
>>   "uid":"it-rc-test-faculty",
>>   "homedirectory":"/home/i/it-**rc-test-faculty",
>>   "userpassword":"**MyPasswordInTheClear",
>>   "givenname":"RC TEST - Faculty",
>>   "sn":"Service_Account"
>> }]
>> }
>>
>> I get a password expiry time like so:
>>
>> $ ipa user-show --all it-rc-test-faculty | grep krbpasswordexpiration
>> krbpasswordexpiration: 20130602163523Z
>>
>> That's clearly not one year into the future, but more like 90 days.
>>
>> Is there something else I'm missing or are we looking at a bug?
>>
>
> I still can't reproduce this. I tried from our 3.x branch and the 2.2 bits
> on 6.3.
>
> Can you do: ipa pwpolicy-show --user=it-rc-test-faculty
>
> This will show the policy applied to that user.
>
> Might also check /var/log/dirsrv/slapd-REALM/**errors for anything
> suspicious.
>
> rob
>
>
>> Many thanks,
>> -Brian
>>
>>
>> On Tue, Feb 26, 2013 at 3:22 AM, Martin Kosek > > wrote:
>>
>> On 02/25/2013 04:38 PM, Brian Smith wrote:
>>  > It seems that regardless of the global password expiry setting,
>> that setting a
>>  > password via the methods
>>  >
>>  > user-add
>>  > passwd
>>  >
>>  > i will always have a password that expires in 90 days.  I
>> followed the
>>  > instructions here http://freeipa.org/page/**
>> PasswordSynchronization 
>>  >
>>  > to avoid the immediate expiry, but I need at least 180 days for my
>>  > configuration to work.
>>  >
>>  > Any help would be appreciated!
>>  >
>>  > --
>>  > Brian Smith
>>  > Assistant Director
>>  > Research Computing, University of South Florida
>>  > 4202 E. Fowler Ave. SVC4010
>>  > Office Phone: +1 813 974-1467 
>>
>>  > Organization URL: http://rc.usf.edu
>>  >
>>
>> Hello Brian,
>>
>> Updating maximum password expiration time with "ipa pwpolicy-mod"
>> affects only
>> new passwords, i.e. password that you already changed will have the
>> old lifetime.
>>
>> When I tested this on Fedora 18, password change worked for me:
>>
>> # ipa pwpolicy-mod --maxlife 180
>>Group: global_policy
>>Max lifetime (days): 180
>>Min lifetime (hours): 1
>>History size: 0
>>Character classes: 0
>>Min length: 8
>>Max failures: 6
>>Failure reset interval: 60
>>Lockout duration: 600
>>
>> # ipa user-add --first=Foo --last=Bar fbar
>> -
>> Added user "fbar"
>> -
>>User login: fbar
>>First name: Foo
>>Last name: Bar
>>Full name: Foo Bar
>>Display name: Foo Bar
>>Initials: FB
>>Home directory: /home/fbar
>>GECOS field: Foo Bar
>>Login shell: /bin/sh
>>Kerberos principal: f...@example.com 
>>Email address: f...@example.com 
>>
>>UID: 175821
>>GID: 175821
>>Password: False
>>Member of groups: ipausers
>>Kerberos keys available: False
>> # ipa pa

Re: [Freeipa-users] Password expiry when account provisioned/updated via JSON RPC

2013-03-04 Thread Rob Crittenden 

Brian Smith wrote:

Thanks for your response, and sorry for my late response.  I'm on RHEL6,
using the packages from the distribution
repository, ipa-server-2.2.0-17.el6_3.1.x86_64

My pwpolicy is set as such (in testing):

$ ipa pwpolicy-show --all
   dn: cn=global_policy,cn=rc.usf.edu
,cn=kerberos,dc=rc,dc=usf,dc=edu
   Group: global_policy
   Max lifetime (days): 365
   Min lifetime (hours): 1
   History size: 0
   Character classes: 0
   Min length: 8
   Max failures: 10
   Failure reset interval: 60
   Lockout duration: 600
   objectclass: top, nsContainer, krbPwdPolicy


If I create an account and set the password using the following JSON
string, against $server/ipa/json, say today,

{
  "method":"user_add",
  "params":[ [],
{
  "uid":"it-rc-test-faculty",
  "homedirectory":"/home/i/it-rc-test-faculty",
  "userpassword":"MyPasswordInTheClear",
  "givenname":"RC TEST - Faculty",
  "sn":"Service_Account"
}]
}

I get a password expiry time like so:

$ ipa user-show --all it-rc-test-faculty | grep krbpasswordexpiration
krbpasswordexpiration: 20130602163523Z

That's clearly not one year into the future, but more like 90 days.

Is there something else I'm missing or are we looking at a bug?


I still can't reproduce this. I tried from our 3.x branch and the 2.2 
bits on 6.3.


Can you do: ipa pwpolicy-show --user=it-rc-test-faculty

This will show the policy applied to that user.

Might also check /var/log/dirsrv/slapd-REALM/errors for anything suspicious.

rob



Many thanks,
-Brian


On Tue, Feb 26, 2013 at 3:22 AM, Martin Kosek mailto:mko...@redhat.com>> wrote:

On 02/25/2013 04:38 PM, Brian Smith wrote:
 > It seems that regardless of the global password expiry setting,
that setting a
 > password via the methods
 >
 > user-add
 > passwd
 >
 > i will always have a password that expires in 90 days.  I
followed the
 > instructions here http://freeipa.org/page/PasswordSynchronization
 >
 > to avoid the immediate expiry, but I need at least 180 days for my
 > configuration to work.
 >
 > Any help would be appreciated!
 >
 > --
 > Brian Smith
 > Assistant Director
 > Research Computing, University of South Florida
 > 4202 E. Fowler Ave. SVC4010
 > Office Phone: +1 813 974-1467 
 > Organization URL: http://rc.usf.edu
 >

Hello Brian,

Updating maximum password expiration time with "ipa pwpolicy-mod"
affects only
new passwords, i.e. password that you already changed will have the
old lifetime.

When I tested this on Fedora 18, password change worked for me:

# ipa pwpolicy-mod --maxlife 180
   Group: global_policy
   Max lifetime (days): 180
   Min lifetime (hours): 1
   History size: 0
   Character classes: 0
   Min length: 8
   Max failures: 6
   Failure reset interval: 60
   Lockout duration: 600

# ipa user-add --first=Foo --last=Bar fbar
-
Added user "fbar"
-
   User login: fbar
   First name: Foo
   Last name: Bar
   Full name: Foo Bar
   Display name: Foo Bar
   Initials: FB
   Home directory: /home/fbar
   GECOS field: Foo Bar
   Login shell: /bin/sh
   Kerberos principal: f...@example.com 
   Email address: f...@example.com 
   UID: 175821
   GID: 175821
   Password: False
   Member of groups: ipausers
   Kerberos keys available: False
# ipa passwd fbar
New Password:
Enter New Password again to verify:
---
Changed password for "f...@example.com "
---

$ ssh f...@ipa.client.fqdn
f...@ipa.client.fqdn's password:
Password expired. Change your password now.
Last login: Tue Feb 26 09:16:39 2013 from 10.0.0.1
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user fbar.
Current Password:
New password:
Retype new password:
Your password will expire in 180 day(s).<<<
passwd: all authentication tokens updated successfully.
Connection to ipa.client.fqdn closed.

Does this usecase work for you or are you hitting a bug?


As for the warning about expiring password, this is a bug in sssd
component
which was already fixed upstream:

https://fedorahosted.org/sssd/ticket/1808

Martin




--
Brian Smith
Assistant Director
Research Computing, University of South Florida
4202 E. Fowler Ave. SVC4010
Office Phone: +1 813 974-1467
Organization URL: http://rc.usf.edu


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



___
Freeipa-users

Re: [Freeipa-users] Password expiry when account provisioned/updated via JSON RPC

2013-03-04 Thread Brian Smith 
Thanks for your response, and sorry for my late response.  I'm on RHEL6,
using the packages from the distribution
repository, ipa-server-2.2.0-17.el6_3.1.x86_64

My pwpolicy is set as such (in testing):

$ ipa pwpolicy-show --all
  dn: cn=global_policy,cn=rc.usf.edu,cn=kerberos,dc=rc,dc=usf,dc=edu
  Group: global_policy
  Max lifetime (days): 365
  Min lifetime (hours): 1
  History size: 0
  Character classes: 0
  Min length: 8
  Max failures: 10
  Failure reset interval: 60
  Lockout duration: 600
  objectclass: top, nsContainer, krbPwdPolicy


If I create an account and set the password using the following JSON
string, against $server/ipa/json, say today,

{
 "method":"user_add",
 "params":[ [],
   {
 "uid":"it-rc-test-faculty",
 "homedirectory":"/home/i/it-rc-test-faculty",
 "userpassword":"MyPasswordInTheClear",
 "givenname":"RC TEST - Faculty",
 "sn":"Service_Account"
   }]
}

I get a password expiry time like so:

$ ipa user-show --all it-rc-test-faculty | grep krbpasswordexpiration
krbpasswordexpiration: 20130602163523Z

That's clearly not one year into the future, but more like 90 days.

Is there something else I'm missing or are we looking at a bug?

Many thanks,
-Brian


On Tue, Feb 26, 2013 at 3:22 AM, Martin Kosek  wrote:

> On 02/25/2013 04:38 PM, Brian Smith wrote:
> > It seems that regardless of the global password expiry setting, that
> setting a
> > password via the methods
> >
> > user-add
> > passwd
> >
> > i will always have a password that expires in 90 days.  I followed the
> > instructions here http://freeipa.org/page/PasswordSynchronization
> >
> > to avoid the immediate expiry, but I need at least 180 days for my
> > configuration to work.
> >
> > Any help would be appreciated!
> >
> > --
> > Brian Smith
> > Assistant Director
> > Research Computing, University of South Florida
> > 4202 E. Fowler Ave. SVC4010
> > Office Phone: +1 813 974-1467
> > Organization URL: http://rc.usf.edu
> >
>
> Hello Brian,
>
> Updating maximum password expiration time with "ipa pwpolicy-mod" affects
> only
> new passwords, i.e. password that you already changed will have the old
> lifetime.
>
> When I tested this on Fedora 18, password change worked for me:
>
> # ipa pwpolicy-mod --maxlife 180
>   Group: global_policy
>   Max lifetime (days): 180
>   Min lifetime (hours): 1
>   History size: 0
>   Character classes: 0
>   Min length: 8
>   Max failures: 6
>   Failure reset interval: 60
>   Lockout duration: 600
>
> # ipa user-add --first=Foo --last=Bar fbar
> -
> Added user "fbar"
> -
>   User login: fbar
>   First name: Foo
>   Last name: Bar
>   Full name: Foo Bar
>   Display name: Foo Bar
>   Initials: FB
>   Home directory: /home/fbar
>   GECOS field: Foo Bar
>   Login shell: /bin/sh
>   Kerberos principal: f...@example.com
>   Email address: f...@example.com
>   UID: 175821
>   GID: 175821
>   Password: False
>   Member of groups: ipausers
>   Kerberos keys available: False
> # ipa passwd fbar
> New Password:
> Enter New Password again to verify:
> ---
> Changed password for "f...@example.com"
> ---
>
> $ ssh f...@ipa.client.fqdn
> f...@ipa.client.fqdn's password:
> Password expired. Change your password now.
> Last login: Tue Feb 26 09:16:39 2013 from 10.0.0.1
> WARNING: Your password has expired.
> You must change your password now and login again!
> Changing password for user fbar.
> Current Password:
> New password:
> Retype new password:
> Your password will expire in 180 day(s).<<<
> passwd: all authentication tokens updated successfully.
> Connection to ipa.client.fqdn closed.
>
> Does this usecase work for you or are you hitting a bug?
>
>
> As for the warning about expiring password, this is a bug in sssd component
> which was already fixed upstream:
>
> https://fedorahosted.org/sssd/ticket/1808
>
> Martin
>



-- 
Brian Smith
Assistant Director
Research Computing, University of South Florida
4202 E. Fowler Ave. SVC4010
Office Phone: +1 813 974-1467
Organization URL: http://rc.usf.edu
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Password expiry when account provisioned/updated via JSON RPC

2013-02-26 Thread Martin Kosek 
On 02/25/2013 04:38 PM, Brian Smith wrote:
> It seems that regardless of the global password expiry setting, that setting a
> password via the methods
> 
> user-add
> passwd
> 
> i will always have a password that expires in 90 days.  I followed the
> instructions here http://freeipa.org/page/PasswordSynchronization
> 
> to avoid the immediate expiry, but I need at least 180 days for my
> configuration to work.
> 
> Any help would be appreciated!
> 
> -- 
> Brian Smith
> Assistant Director
> Research Computing, University of South Florida
> 4202 E. Fowler Ave. SVC4010
> Office Phone: +1 813 974-1467
> Organization URL: http://rc.usf.edu
> 

Hello Brian,

Updating maximum password expiration time with "ipa pwpolicy-mod" affects only
new passwords, i.e. password that you already changed will have the old 
lifetime.

When I tested this on Fedora 18, password change worked for me:

# ipa pwpolicy-mod --maxlife 180
  Group: global_policy
  Max lifetime (days): 180
  Min lifetime (hours): 1
  History size: 0
  Character classes: 0
  Min length: 8
  Max failures: 6
  Failure reset interval: 60
  Lockout duration: 600

# ipa user-add --first=Foo --last=Bar fbar
-
Added user "fbar"
-
  User login: fbar
  First name: Foo
  Last name: Bar
  Full name: Foo Bar
  Display name: Foo Bar
  Initials: FB
  Home directory: /home/fbar
  GECOS field: Foo Bar
  Login shell: /bin/sh
  Kerberos principal: f...@example.com
  Email address: f...@example.com
  UID: 175821
  GID: 175821
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False
# ipa passwd fbar
New Password:
Enter New Password again to verify:
---
Changed password for "f...@example.com"
---

$ ssh f...@ipa.client.fqdn
f...@ipa.client.fqdn's password:
Password expired. Change your password now.
Last login: Tue Feb 26 09:16:39 2013 from 10.0.0.1
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user fbar.
Current Password:
New password:
Retype new password:
Your password will expire in 180 day(s).<<<
passwd: all authentication tokens updated successfully.
Connection to ipa.client.fqdn closed.

Does this usecase work for you or are you hitting a bug?


As for the warning about expiring password, this is a bug in sssd component
which was already fixed upstream:

https://fedorahosted.org/sssd/ticket/1808

Martin

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Password expiry when account provisioned/updated via JSON RPC

2013-02-25 Thread Brian Smith 
It seems that regardless of the global password expiry setting, that
setting a password via the methods

user-add
passwd

i will always have a password that expires in 90 days.  I followed the
instructions here http://freeipa.org/page/PasswordSynchronization

to avoid the immediate expiry, but I need at least 180 days for my
configuration to work.

Any help would be appreciated!

-- 
Brian Smith
Assistant Director
Research Computing, University of South Florida
4202 E. Fowler Ave. SVC4010
Office Phone: +1 813 974-1467
Organization URL: http://rc.usf.edu
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users