Re: [Freeipa-users] krbPasswordExpiration field not updating?
On 05/10/2012 03:11 PM, Simo Sorce wrote: On Thu, 2012-05-10 at 03:58 +0400, free...@noboost.org wrote: On Wed, May 09, 2012 at 01:21:39PM +0200, Petr Spacek wrote: On 05/09/2012 03:31 AM, Dan Scott wrote: On Tue, May 8, 2012 at 8:45 PM, wrote: On Tue, May 08, 2012 at 09:43:13AM -0400, Rob Crittenden wrote: Dan Scott wrote: On Tue, May 8, 2012 at 1:55 AM, wrote: Hi, Spec: Red Hat Enterprise Linux Server release 6.2 (Santiago) ipa-admintools-2.1.3-9.el6.x86_64 ipa-client-2.1.3-9.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-python-2.1.3-9.el6.x86_64 ipa-server-2.1.3-9.el6.x86_64 ipa-server-selinux-2.1.3-9.el6.x86_64 Issue: Firstly I'll declare someone must have seen this by now? I've set the password policy to 9; [root@sysvm-ipa ~]# ipa pwpolicy-show Group: global_policy Max lifetime (days): 9 Min lifetime (hours): 1 History size: 0 Character classes: 0 Min length: 6 Max failures: 6 Failure reset interval: 60 Lockout duration: 600 But old accounts are not getting the change at the ldap level, even though IPA claims the expiry date has updated. e.g. [root@sysvm-ipa ~]# ipa pwpolicy-show --user=john Group: global_policy Max lifetime (days): 9 Min lifetime (hours): 1 History size: 0 Character classes: 0 Min length: 6 Max failures: 6 Failure reset interval: 60 Lockout duration: 600 ldapsearch (command chopped) # john, users, accounts, teratext.saic.com.au dn: uid=john,cn=users,cn=accounts,dc=example,dc=com krbPasswordExpiration: 20120506011529Z So now when the user(s) logs in, I'm getting "password will expire in XX days" messages. Any ideas? Can I globally update this somehow, otherwise I'll be re-typing passwords for a while. A password reset by admin always expires the password. I think once the user first changes their password it will have the lifetime that you specified. You can force the expiration date using an ldapmodify command: ldapmodify -x -D 'cn=directory manager' -W -h $IPA_SERVER -p 389 -vv -f update_krbpasswordexpiration.ldif Where the update_krbpasswordexpiration.ldif file contains: dn: uid=$USERNAME,cn=users,cn=accounts,dc=example,dc=com changetype: modify replace: krbpasswordexpiration krbpasswordexpiration: 20140202203734Z You could do this as admin if you have a ticket so that you don't have to enter the directory manager password. This is great, thanks Dan. BTW the equivalent command using a Kerberos ticket is: $ ldapmodify -Y GSSAPI -h $IPA_SERVER -p 389 -vv -f update_krbpasswordexpiration.ldif rob Thanks great advice, so just to clarify, do the rear numbers just represent hours, seconds etc? e.g. krbpasswordexpiration: 20150101203734Z krbpasswordexpiration: 20150101 [20 37 34 ?] Z (20=hour,37=min,34=sec]? Yep, and Z indicates GMT. Question is: 1) Should we document that (and provide a hint in `ipa pwpolicy` output)? OR 2) Should ipa pwpolicy do update for all affected principals in LDAP? Just to prevent confusion? I like variant 2, because variant 1 seems to be confusing to me. Craig, what is user opinion? Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com The thing that threw me was that "Max lifetime (days)" is not the actual expiry date. Once I realised that there was an ldap "krbPasswordExpiration" attribute which I can modify directly, then I fixed the issue for the whole company in about 10min :) Documentation (my opinion): * Full meaning for this attribute krbPasswordExpiration * The difference between Max lifetime (days)& krbPasswordExpiration * How to change ldap expiration entries. It would be nice if you could open a ticket so we can track this RFE and not forget about it. Done 2 hours ago, I forget to report it :-) https://fedorahosted.org/freeipa/ticket/2745 Thanks. Simo. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] krbPasswordExpiration field not updating?
On Thu, 2012-05-10 at 03:58 +0400, free...@noboost.org wrote: > On Wed, May 09, 2012 at 01:21:39PM +0200, Petr Spacek wrote: > > On 05/09/2012 03:31 AM, Dan Scott wrote: > > >On Tue, May 8, 2012 at 8:45 PM, wrote: > > >>On Tue, May 08, 2012 at 09:43:13AM -0400, Rob Crittenden wrote: > > >>>Dan Scott wrote: > > On Tue, May 8, 2012 at 1:55 AM,wrote: > > >Hi, > > > > > >Spec: > > >Red Hat Enterprise Linux Server release 6.2 (Santiago) > > > ipa-admintools-2.1.3-9.el6.x86_64 > > > ipa-client-2.1.3-9.el6.x86_64 > > > ipa-pki-ca-theme-9.0.3-7.el6.noarch > > > ipa-pki-common-theme-9.0.3-7.el6.noarch > > > ipa-python-2.1.3-9.el6.x86_64 > > > ipa-server-2.1.3-9.el6.x86_64 > > > ipa-server-selinux-2.1.3-9.el6.x86_64 > > > > > >Issue: > > >Firstly I'll declare someone must have seen this by now? > > > > > >I've set the password policy to 9; > > >[root@sysvm-ipa ~]# ipa pwpolicy-show > > > Group: global_policy > > > Max lifetime (days): 9 > > > Min lifetime (hours): 1 > > > History size: 0 > > > Character classes: 0 > > > Min length: 6 > > > Max failures: 6 > > > Failure reset interval: 60 > > > Lockout duration: 600 > > > > > >But old accounts are not getting the change at the ldap level, even > > >though IPA claims the expiry date has updated. > > >e.g. > > >[root@sysvm-ipa ~]# ipa pwpolicy-show --user=john > > > Group: global_policy > > > Max lifetime (days): 9 > > > Min lifetime (hours): 1 > > > History size: 0 > > > Character classes: 0 > > > Min length: 6 > > > Max failures: 6 > > > Failure reset interval: 60 > > > Lockout duration: 600 > > > > > > > > >ldapsearch (command chopped) > > ># john, users, accounts, teratext.saic.com.au > > >dn: uid=john,cn=users,cn=accounts,dc=example,dc=com > > >krbPasswordExpiration: 20120506011529Z > > > > > > > > >So now when the user(s) logs in, I'm getting "password will expire in > > >XX > > >days" messages. > > > > > >Any ideas? > > >Can I globally update this somehow, otherwise I'll be re-typing > > >passwords for a while. > > > > A password reset by admin always expires the password. I think once > > the user first changes their password it will have the lifetime that > > you specified. > > > > You can force the expiration date using an ldapmodify command: > > > > ldapmodify -x -D 'cn=directory manager' -W -h $IPA_SERVER -p 389 -vv > > -f update_krbpasswordexpiration.ldif > > > > Where the update_krbpasswordexpiration.ldif file contains: > > > > dn: uid=$USERNAME,cn=users,cn=accounts,dc=example,dc=com > > changetype: modify > > replace: krbpasswordexpiration > > krbpasswordexpiration: 20140202203734Z > > > > You could do this as admin if you have a ticket so that you don't have > > to enter the directory manager password. > > >>> > > >>>This is great, thanks Dan. > > >>> > > >>>BTW the equivalent command using a Kerberos ticket is: > > >>> > > >>>$ ldapmodify -Y GSSAPI -h $IPA_SERVER -p 389 -vv -f > > >>>update_krbpasswordexpiration.ldif > > >>> > > >>>rob > > >>> > > >>Thanks great advice, so just to clarify, do the rear numbers just > > >>represent hours, seconds etc? > > >>e.g. krbpasswordexpiration: 20150101203734Z > > >> krbpasswordexpiration: 20150101 [20 37 34 ?] Z > > >> (20=hour,37=min,34=sec]? > > > > > >Yep, and Z indicates GMT. > > > > Question is: > > 1) Should we document that (and provide a hint in `ipa pwpolicy` output)? > > OR > > 2) Should ipa pwpolicy do update for all affected principals in > > LDAP? Just to prevent confusion? > > > > I like variant 2, because variant 1 seems to be confusing to me. > > > > Craig, what is user opinion? > > > > Petr^2 Spacek > > > > ___ > > Freeipa-users mailing list > > Freeipa-users@redhat.com > The thing that threw me was that "Max lifetime (days)" is not the actual > expiry date. > Once I realised that there was an ldap "krbPasswordExpiration" attribute > which I can > modify directly, then I fixed the issue for the whole company in about 10min > :) > > Documentation (my opinion): > * Full meaning for this attribute krbPasswordExpiration > * The difference between Max lifetime (days) & krbPasswordExpiration > * How to change ldap expiration entries. It would be nice if you could open a ticket so we can track this RFE and not forget about it. Thanks. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] krbPasswordExpiration field not updating?
On Wed, May 09, 2012 at 01:21:39PM +0200, Petr Spacek wrote: > On 05/09/2012 03:31 AM, Dan Scott wrote: > >On Tue, May 8, 2012 at 8:45 PM, wrote: > >>On Tue, May 08, 2012 at 09:43:13AM -0400, Rob Crittenden wrote: > >>>Dan Scott wrote: > On Tue, May 8, 2012 at 1:55 AM,wrote: > >Hi, > > > >Spec: > >Red Hat Enterprise Linux Server release 6.2 (Santiago) > > ipa-admintools-2.1.3-9.el6.x86_64 > > ipa-client-2.1.3-9.el6.x86_64 > > ipa-pki-ca-theme-9.0.3-7.el6.noarch > > ipa-pki-common-theme-9.0.3-7.el6.noarch > > ipa-python-2.1.3-9.el6.x86_64 > > ipa-server-2.1.3-9.el6.x86_64 > > ipa-server-selinux-2.1.3-9.el6.x86_64 > > > >Issue: > >Firstly I'll declare someone must have seen this by now? > > > >I've set the password policy to 9; > >[root@sysvm-ipa ~]# ipa pwpolicy-show > > Group: global_policy > > Max lifetime (days): 9 > > Min lifetime (hours): 1 > > History size: 0 > > Character classes: 0 > > Min length: 6 > > Max failures: 6 > > Failure reset interval: 60 > > Lockout duration: 600 > > > >But old accounts are not getting the change at the ldap level, even > >though IPA claims the expiry date has updated. > >e.g. > >[root@sysvm-ipa ~]# ipa pwpolicy-show --user=john > > Group: global_policy > > Max lifetime (days): 9 > > Min lifetime (hours): 1 > > History size: 0 > > Character classes: 0 > > Min length: 6 > > Max failures: 6 > > Failure reset interval: 60 > > Lockout duration: 600 > > > > > >ldapsearch (command chopped) > ># john, users, accounts, teratext.saic.com.au > >dn: uid=john,cn=users,cn=accounts,dc=example,dc=com > >krbPasswordExpiration: 20120506011529Z > > > > > >So now when the user(s) logs in, I'm getting "password will expire in XX > >days" messages. > > > >Any ideas? > >Can I globally update this somehow, otherwise I'll be re-typing > >passwords for a while. > > A password reset by admin always expires the password. I think once > the user first changes their password it will have the lifetime that > you specified. > > You can force the expiration date using an ldapmodify command: > > ldapmodify -x -D 'cn=directory manager' -W -h $IPA_SERVER -p 389 -vv > -f update_krbpasswordexpiration.ldif > > Where the update_krbpasswordexpiration.ldif file contains: > > dn: uid=$USERNAME,cn=users,cn=accounts,dc=example,dc=com > changetype: modify > replace: krbpasswordexpiration > krbpasswordexpiration: 20140202203734Z > > You could do this as admin if you have a ticket so that you don't have > to enter the directory manager password. > >>> > >>>This is great, thanks Dan. > >>> > >>>BTW the equivalent command using a Kerberos ticket is: > >>> > >>>$ ldapmodify -Y GSSAPI -h $IPA_SERVER -p 389 -vv -f > >>>update_krbpasswordexpiration.ldif > >>> > >>>rob > >>> > >>Thanks great advice, so just to clarify, do the rear numbers just > >>represent hours, seconds etc? > >>e.g. krbpasswordexpiration: 20150101203734Z > >> krbpasswordexpiration: 20150101 [20 37 34 ?] Z (20=hour,37=min,34=sec]? > > > >Yep, and Z indicates GMT. > > Question is: > 1) Should we document that (and provide a hint in `ipa pwpolicy` output)? > OR > 2) Should ipa pwpolicy do update for all affected principals in > LDAP? Just to prevent confusion? > > I like variant 2, because variant 1 seems to be confusing to me. > > Craig, what is user opinion? > > Petr^2 Spacek > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com The thing that threw me was that "Max lifetime (days)" is not the actual expiry date. Once I realised that there was an ldap "krbPasswordExpiration" attribute which I can modify directly, then I fixed the issue for the whole company in about 10min :) Documentation (my opinion): * Full meaning for this attribute krbPasswordExpiration * The difference between Max lifetime (days) & krbPasswordExpiration * How to change ldap expiration entries. cya Craig ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] krbPasswordExpiration field not updating?
On Wed, 2012-05-09 at 13:21 +0200, Petr Spacek wrote: > On 05/09/2012 03:31 AM, Dan Scott wrote: > > On Tue, May 8, 2012 at 8:45 PM, wrote: > >> On Tue, May 08, 2012 at 09:43:13AM -0400, Rob Crittenden wrote: > >>> Dan Scott wrote: > On Tue, May 8, 2012 at 1:55 AM,wrote: > > Hi, > > > > Spec: > > Red Hat Enterprise Linux Server release 6.2 (Santiago) > > ipa-admintools-2.1.3-9.el6.x86_64 > > ipa-client-2.1.3-9.el6.x86_64 > > ipa-pki-ca-theme-9.0.3-7.el6.noarch > > ipa-pki-common-theme-9.0.3-7.el6.noarch > > ipa-python-2.1.3-9.el6.x86_64 > > ipa-server-2.1.3-9.el6.x86_64 > > ipa-server-selinux-2.1.3-9.el6.x86_64 > > > > Issue: > > Firstly I'll declare someone must have seen this by now? > > > > I've set the password policy to 9; > > [root@sysvm-ipa ~]# ipa pwpolicy-show > > Group: global_policy > > Max lifetime (days): 9 > > Min lifetime (hours): 1 > > History size: 0 > > Character classes: 0 > > Min length: 6 > > Max failures: 6 > > Failure reset interval: 60 > > Lockout duration: 600 > > > > But old accounts are not getting the change at the ldap level, even > > though IPA claims the expiry date has updated. > > e.g. > > [root@sysvm-ipa ~]# ipa pwpolicy-show --user=john > > Group: global_policy > > Max lifetime (days): 9 > > Min lifetime (hours): 1 > > History size: 0 > > Character classes: 0 > > Min length: 6 > > Max failures: 6 > > Failure reset interval: 60 > > Lockout duration: 600 > > > > > > ldapsearch (command chopped) > > # john, users, accounts, teratext.saic.com.au > > dn: uid=john,cn=users,cn=accounts,dc=example,dc=com > > krbPasswordExpiration: 20120506011529Z > > > > > > So now when the user(s) logs in, I'm getting "password will expire in XX > > days" messages. > > > > Any ideas? > > Can I globally update this somehow, otherwise I'll be re-typing > > passwords for a while. > > A password reset by admin always expires the password. I think once > the user first changes their password it will have the lifetime that > you specified. > > You can force the expiration date using an ldapmodify command: > > ldapmodify -x -D 'cn=directory manager' -W -h $IPA_SERVER -p 389 -vv > -f update_krbpasswordexpiration.ldif > > Where the update_krbpasswordexpiration.ldif file contains: > > dn: uid=$USERNAME,cn=users,cn=accounts,dc=example,dc=com > changetype: modify > replace: krbpasswordexpiration > krbpasswordexpiration: 20140202203734Z > > You could do this as admin if you have a ticket so that you don't have > to enter the directory manager password. > >>> > >>> This is great, thanks Dan. > >>> > >>> BTW the equivalent command using a Kerberos ticket is: > >>> > >>> $ ldapmodify -Y GSSAPI -h $IPA_SERVER -p 389 -vv -f > >>> update_krbpasswordexpiration.ldif > >>> > >>> rob > >>> > >> Thanks great advice, so just to clarify, do the rear numbers just > >> represent hours, seconds etc? > >> e.g. krbpasswordexpiration: 20150101203734Z > >> krbpasswordexpiration: 20150101 [20 37 34 ?] Z > >> (20=hour,37=min,34=sec]? > > > > Yep, and Z indicates GMT. > > Question is: > 1) Should we document that (and provide a hint in `ipa pwpolicy` output)? Yes. > 2) Should ipa pwpolicy do update for all affected principals in LDAP? Just to > prevent confusion? No. > I like variant 2, because variant 1 seems to be confusing to me. May not be what the user wants to do, and would cause a lot of changes all over the directory and a lot of replication. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] krbPasswordExpiration field not updating?
On 05/09/2012 03:31 AM, Dan Scott wrote: On Tue, May 8, 2012 at 8:45 PM, wrote: On Tue, May 08, 2012 at 09:43:13AM -0400, Rob Crittenden wrote: Dan Scott wrote: On Tue, May 8, 2012 at 1:55 AM,wrote: Hi, Spec: Red Hat Enterprise Linux Server release 6.2 (Santiago) ipa-admintools-2.1.3-9.el6.x86_64 ipa-client-2.1.3-9.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-python-2.1.3-9.el6.x86_64 ipa-server-2.1.3-9.el6.x86_64 ipa-server-selinux-2.1.3-9.el6.x86_64 Issue: Firstly I'll declare someone must have seen this by now? I've set the password policy to 9; [root@sysvm-ipa ~]# ipa pwpolicy-show Group: global_policy Max lifetime (days): 9 Min lifetime (hours): 1 History size: 0 Character classes: 0 Min length: 6 Max failures: 6 Failure reset interval: 60 Lockout duration: 600 But old accounts are not getting the change at the ldap level, even though IPA claims the expiry date has updated. e.g. [root@sysvm-ipa ~]# ipa pwpolicy-show --user=john Group: global_policy Max lifetime (days): 9 Min lifetime (hours): 1 History size: 0 Character classes: 0 Min length: 6 Max failures: 6 Failure reset interval: 60 Lockout duration: 600 ldapsearch (command chopped) # john, users, accounts, teratext.saic.com.au dn: uid=john,cn=users,cn=accounts,dc=example,dc=com krbPasswordExpiration: 20120506011529Z So now when the user(s) logs in, I'm getting "password will expire in XX days" messages. Any ideas? Can I globally update this somehow, otherwise I'll be re-typing passwords for a while. A password reset by admin always expires the password. I think once the user first changes their password it will have the lifetime that you specified. You can force the expiration date using an ldapmodify command: ldapmodify -x -D 'cn=directory manager' -W -h $IPA_SERVER -p 389 -vv -f update_krbpasswordexpiration.ldif Where the update_krbpasswordexpiration.ldif file contains: dn: uid=$USERNAME,cn=users,cn=accounts,dc=example,dc=com changetype: modify replace: krbpasswordexpiration krbpasswordexpiration: 20140202203734Z You could do this as admin if you have a ticket so that you don't have to enter the directory manager password. This is great, thanks Dan. BTW the equivalent command using a Kerberos ticket is: $ ldapmodify -Y GSSAPI -h $IPA_SERVER -p 389 -vv -f update_krbpasswordexpiration.ldif rob Thanks great advice, so just to clarify, do the rear numbers just represent hours, seconds etc? e.g. krbpasswordexpiration: 20150101203734Z krbpasswordexpiration: 20150101 [20 37 34 ?] Z (20=hour,37=min,34=sec]? Yep, and Z indicates GMT. Question is: 1) Should we document that (and provide a hint in `ipa pwpolicy` output)? OR 2) Should ipa pwpolicy do update for all affected principals in LDAP? Just to prevent confusion? I like variant 2, because variant 1 seems to be confusing to me. Craig, what is user opinion? Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] krbPasswordExpiration field not updating?
On Tue, May 8, 2012 at 8:45 PM, wrote: > On Tue, May 08, 2012 at 09:43:13AM -0400, Rob Crittenden wrote: >> Dan Scott wrote: >> >On Tue, May 8, 2012 at 1:55 AM, wrote: >> >>Hi, >> >> >> >>Spec: >> >>Red Hat Enterprise Linux Server release 6.2 (Santiago) >> >> ipa-admintools-2.1.3-9.el6.x86_64 >> >> ipa-client-2.1.3-9.el6.x86_64 >> >> ipa-pki-ca-theme-9.0.3-7.el6.noarch >> >> ipa-pki-common-theme-9.0.3-7.el6.noarch >> >> ipa-python-2.1.3-9.el6.x86_64 >> >> ipa-server-2.1.3-9.el6.x86_64 >> >> ipa-server-selinux-2.1.3-9.el6.x86_64 >> >> >> >>Issue: >> >>Firstly I'll declare someone must have seen this by now? >> >> >> >>I've set the password policy to 9; >> >>[root@sysvm-ipa ~]# ipa pwpolicy-show >> >> Group: global_policy >> >> Max lifetime (days): 9 >> >> Min lifetime (hours): 1 >> >> History size: 0 >> >> Character classes: 0 >> >> Min length: 6 >> >> Max failures: 6 >> >> Failure reset interval: 60 >> >> Lockout duration: 600 >> >> >> >>But old accounts are not getting the change at the ldap level, even >> >>though IPA claims the expiry date has updated. >> >>e.g. >> >>[root@sysvm-ipa ~]# ipa pwpolicy-show --user=john >> >> Group: global_policy >> >> Max lifetime (days): 9 >> >> Min lifetime (hours): 1 >> >> History size: 0 >> >> Character classes: 0 >> >> Min length: 6 >> >> Max failures: 6 >> >> Failure reset interval: 60 >> >> Lockout duration: 600 >> >> >> >> >> >>ldapsearch (command chopped) >> >># john, users, accounts, teratext.saic.com.au >> >>dn: uid=john,cn=users,cn=accounts,dc=example,dc=com >> >>krbPasswordExpiration: 20120506011529Z >> >> >> >> >> >>So now when the user(s) logs in, I'm getting "password will expire in XX >> >>days" messages. >> >> >> >>Any ideas? >> >>Can I globally update this somehow, otherwise I'll be re-typing >> >>passwords for a while. >> > >> >A password reset by admin always expires the password. I think once >> >the user first changes their password it will have the lifetime that >> >you specified. >> > >> >You can force the expiration date using an ldapmodify command: >> > >> >ldapmodify -x -D 'cn=directory manager' -W -h $IPA_SERVER -p 389 -vv >> >-f update_krbpasswordexpiration.ldif >> > >> >Where the update_krbpasswordexpiration.ldif file contains: >> > >> >dn: uid=$USERNAME,cn=users,cn=accounts,dc=example,dc=com >> >changetype: modify >> >replace: krbpasswordexpiration >> >krbpasswordexpiration: 20140202203734Z >> > >> >You could do this as admin if you have a ticket so that you don't have >> >to enter the directory manager password. >> >> This is great, thanks Dan. >> >> BTW the equivalent command using a Kerberos ticket is: >> >> $ ldapmodify -Y GSSAPI -h $IPA_SERVER -p 389 -vv -f >> update_krbpasswordexpiration.ldif >> >> rob >> > Thanks great advice, so just to clarify, do the rear numbers just > represent hours, seconds etc? > e.g. krbpasswordexpiration: 20150101203734Z > krbpasswordexpiration: 20150101 [20 37 34 ?] Z (20=hour,37=min,34=sec]? Yep, and Z indicates GMT. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] krbPasswordExpiration field not updating?
On Tue, May 08, 2012 at 09:43:13AM -0400, Rob Crittenden wrote: > Dan Scott wrote: > >On Tue, May 8, 2012 at 1:55 AM, wrote: > >>Hi, > >> > >>Spec: > >>Red Hat Enterprise Linux Server release 6.2 (Santiago) > >> ipa-admintools-2.1.3-9.el6.x86_64 > >> ipa-client-2.1.3-9.el6.x86_64 > >> ipa-pki-ca-theme-9.0.3-7.el6.noarch > >> ipa-pki-common-theme-9.0.3-7.el6.noarch > >> ipa-python-2.1.3-9.el6.x86_64 > >> ipa-server-2.1.3-9.el6.x86_64 > >> ipa-server-selinux-2.1.3-9.el6.x86_64 > >> > >>Issue: > >>Firstly I'll declare someone must have seen this by now? > >> > >>I've set the password policy to 9; > >>[root@sysvm-ipa ~]# ipa pwpolicy-show > >> Group: global_policy > >> Max lifetime (days): 9 > >> Min lifetime (hours): 1 > >> History size: 0 > >> Character classes: 0 > >> Min length: 6 > >> Max failures: 6 > >> Failure reset interval: 60 > >> Lockout duration: 600 > >> > >>But old accounts are not getting the change at the ldap level, even > >>though IPA claims the expiry date has updated. > >>e.g. > >>[root@sysvm-ipa ~]# ipa pwpolicy-show --user=john > >> Group: global_policy > >> Max lifetime (days): 9 > >> Min lifetime (hours): 1 > >> History size: 0 > >> Character classes: 0 > >> Min length: 6 > >> Max failures: 6 > >> Failure reset interval: 60 > >> Lockout duration: 600 > >> > >> > >>ldapsearch (command chopped) > >># john, users, accounts, teratext.saic.com.au > >>dn: uid=john,cn=users,cn=accounts,dc=example,dc=com > >>krbPasswordExpiration: 20120506011529Z > >> > >> > >>So now when the user(s) logs in, I'm getting "password will expire in XX > >>days" messages. > >> > >>Any ideas? > >>Can I globally update this somehow, otherwise I'll be re-typing > >>passwords for a while. > > > >A password reset by admin always expires the password. I think once > >the user first changes their password it will have the lifetime that > >you specified. > > > >You can force the expiration date using an ldapmodify command: > > > >ldapmodify -x -D 'cn=directory manager' -W -h $IPA_SERVER -p 389 -vv > >-f update_krbpasswordexpiration.ldif > > > >Where the update_krbpasswordexpiration.ldif file contains: > > > >dn: uid=$USERNAME,cn=users,cn=accounts,dc=example,dc=com > >changetype: modify > >replace: krbpasswordexpiration > >krbpasswordexpiration: 20140202203734Z > > > >You could do this as admin if you have a ticket so that you don't have > >to enter the directory manager password. > > This is great, thanks Dan. > > BTW the equivalent command using a Kerberos ticket is: > > $ ldapmodify -Y GSSAPI -h $IPA_SERVER -p 389 -vv -f > update_krbpasswordexpiration.ldif > > rob > Thanks great advice, so just to clarify, do the rear numbers just represent hours, seconds etc? e.g. krbpasswordexpiration: 20150101203734Z krbpasswordexpiration: 20150101 [20 37 34 ?] Z (20=hour,37=min,34=sec]? cya Craig ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] krbPasswordExpiration field not updating?
Dan Scott wrote: On Tue, May 8, 2012 at 1:55 AM, wrote: Hi, Spec: Red Hat Enterprise Linux Server release 6.2 (Santiago) ipa-admintools-2.1.3-9.el6.x86_64 ipa-client-2.1.3-9.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-python-2.1.3-9.el6.x86_64 ipa-server-2.1.3-9.el6.x86_64 ipa-server-selinux-2.1.3-9.el6.x86_64 Issue: Firstly I'll declare someone must have seen this by now? I've set the password policy to 9; [root@sysvm-ipa ~]# ipa pwpolicy-show Group: global_policy Max lifetime (days): 9 Min lifetime (hours): 1 History size: 0 Character classes: 0 Min length: 6 Max failures: 6 Failure reset interval: 60 Lockout duration: 600 But old accounts are not getting the change at the ldap level, even though IPA claims the expiry date has updated. e.g. [root@sysvm-ipa ~]# ipa pwpolicy-show --user=john Group: global_policy Max lifetime (days): 9 Min lifetime (hours): 1 History size: 0 Character classes: 0 Min length: 6 Max failures: 6 Failure reset interval: 60 Lockout duration: 600 ldapsearch (command chopped) # john, users, accounts, teratext.saic.com.au dn: uid=john,cn=users,cn=accounts,dc=example,dc=com krbPasswordExpiration: 20120506011529Z So now when the user(s) logs in, I'm getting "password will expire in XX days" messages. Any ideas? Can I globally update this somehow, otherwise I'll be re-typing passwords for a while. A password reset by admin always expires the password. I think once the user first changes their password it will have the lifetime that you specified. You can force the expiration date using an ldapmodify command: ldapmodify -x -D 'cn=directory manager' -W -h $IPA_SERVER -p 389 -vv -f update_krbpasswordexpiration.ldif Where the update_krbpasswordexpiration.ldif file contains: dn: uid=$USERNAME,cn=users,cn=accounts,dc=example,dc=com changetype: modify replace: krbpasswordexpiration krbpasswordexpiration: 20140202203734Z You could do this as admin if you have a ticket so that you don't have to enter the directory manager password. This is great, thanks Dan. BTW the equivalent command using a Kerberos ticket is: $ ldapmodify -Y GSSAPI -h $IPA_SERVER -p 389 -vv -f update_krbpasswordexpiration.ldif rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] krbPasswordExpiration field not updating?
On Tue, May 8, 2012 at 1:55 AM, wrote: > Hi, > > Spec: > Red Hat Enterprise Linux Server release 6.2 (Santiago) > ipa-admintools-2.1.3-9.el6.x86_64 > ipa-client-2.1.3-9.el6.x86_64 > ipa-pki-ca-theme-9.0.3-7.el6.noarch > ipa-pki-common-theme-9.0.3-7.el6.noarch > ipa-python-2.1.3-9.el6.x86_64 > ipa-server-2.1.3-9.el6.x86_64 > ipa-server-selinux-2.1.3-9.el6.x86_64 > > Issue: > Firstly I'll declare someone must have seen this by now? > > I've set the password policy to 9; > [root@sysvm-ipa ~]# ipa pwpolicy-show > Group: global_policy > Max lifetime (days): 9 > Min lifetime (hours): 1 > History size: 0 > Character classes: 0 > Min length: 6 > Max failures: 6 > Failure reset interval: 60 > Lockout duration: 600 > > But old accounts are not getting the change at the ldap level, even > though IPA claims the expiry date has updated. > e.g. > [root@sysvm-ipa ~]# ipa pwpolicy-show --user=john > Group: global_policy > Max lifetime (days): 9 > Min lifetime (hours): 1 > History size: 0 > Character classes: 0 > Min length: 6 > Max failures: 6 > Failure reset interval: 60 > Lockout duration: 600 > > > ldapsearch (command chopped) > # john, users, accounts, teratext.saic.com.au > dn: uid=john,cn=users,cn=accounts,dc=example,dc=com > krbPasswordExpiration: 20120506011529Z > > > So now when the user(s) logs in, I'm getting "password will expire in XX > days" messages. > > Any ideas? > Can I globally update this somehow, otherwise I'll be re-typing > passwords for a while. A password reset by admin always expires the password. I think once the user first changes their password it will have the lifetime that you specified. You can force the expiration date using an ldapmodify command: ldapmodify -x -D 'cn=directory manager' -W -h $IPA_SERVER -p 389 -vv -f update_krbpasswordexpiration.ldif Where the update_krbpasswordexpiration.ldif file contains: dn: uid=$USERNAME,cn=users,cn=accounts,dc=example,dc=com changetype: modify replace: krbpasswordexpiration krbpasswordexpiration: 20140202203734Z You could do this as admin if you have a ticket so that you don't have to enter the directory manager password. Hope this helps, Dan ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] krbPasswordExpiration field not updating?
On Tue, 2012-05-08 at 09:55 +0400, free...@noboost.org wrote: > Hi, > > Spec: > Red Hat Enterprise Linux Server release 6.2 (Santiago) > ipa-admintools-2.1.3-9.el6.x86_64 > ipa-client-2.1.3-9.el6.x86_64 > ipa-pki-ca-theme-9.0.3-7.el6.noarch > ipa-pki-common-theme-9.0.3-7.el6.noarch > ipa-python-2.1.3-9.el6.x86_64 > ipa-server-2.1.3-9.el6.x86_64 > ipa-server-selinux-2.1.3-9.el6.x86_64 > > Issue: > Firstly I'll declare someone must have seen this by now? > > I've set the password policy to 9; > [root@sysvm-ipa ~]# ipa pwpolicy-show > Group: global_policy > Max lifetime (days): 9 > Min lifetime (hours): 1 > History size: 0 > Character classes: 0 > Min length: 6 > Max failures: 6 > Failure reset interval: 60 > Lockout duration: 600 > > But old accounts are not getting the change at the ldap level, even > though IPA claims the expiry date has updated. > e.g. > [root@sysvm-ipa ~]# ipa pwpolicy-show --user=john > Group: global_policy > Max lifetime (days): 9 > Min lifetime (hours): 1 > History size: 0 > Character classes: 0 > Min length: 6 > Max failures: 6 > Failure reset interval: 60 > Lockout duration: 600 > > > ldapsearch (command chopped) > # john, users, accounts, teratext.saic.com.au > dn: uid=john,cn=users,cn=accounts,dc=example,dc=com > krbPasswordExpiration: 20120506011529Z > > > So now when the user(s) logs in, I'm getting "password will expire in XX > days" messages. > > Any ideas? > Can I globally update this somehow, otherwise I'll be re-typing > passwords for a while. Password policies are applied at password change time, if you want to change the password expiration time of a specific user w/o forcing a password change then you need to change the krbPasswordExpiration attribute on the user. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] krbPasswordExpiration field not updating?
Hi, Spec: Red Hat Enterprise Linux Server release 6.2 (Santiago) ipa-admintools-2.1.3-9.el6.x86_64 ipa-client-2.1.3-9.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-python-2.1.3-9.el6.x86_64 ipa-server-2.1.3-9.el6.x86_64 ipa-server-selinux-2.1.3-9.el6.x86_64 Issue: Firstly I'll declare someone must have seen this by now? I've set the password policy to 9; [root@sysvm-ipa ~]# ipa pwpolicy-show Group: global_policy Max lifetime (days): 9 Min lifetime (hours): 1 History size: 0 Character classes: 0 Min length: 6 Max failures: 6 Failure reset interval: 60 Lockout duration: 600 But old accounts are not getting the change at the ldap level, even though IPA claims the expiry date has updated. e.g. [root@sysvm-ipa ~]# ipa pwpolicy-show --user=john Group: global_policy Max lifetime (days): 9 Min lifetime (hours): 1 History size: 0 Character classes: 0 Min length: 6 Max failures: 6 Failure reset interval: 60 Lockout duration: 600 ldapsearch (command chopped) # john, users, accounts, teratext.saic.com.au dn: uid=john,cn=users,cn=accounts,dc=example,dc=com krbPasswordExpiration: 20120506011529Z So now when the user(s) logs in, I'm getting "password will expire in XX days" messages. Any ideas? Can I globally update this somehow, otherwise I'll be re-typing passwords for a while. cya Craig ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users