Re: [Freeipa-users] Default Expiry on IPA?
On 08/28/2012 09:44 AM, free...@noboost.org wrote: Hi All, System: Red Hat Enterprise Linux Server release 6.3 (Santiago) ipa-server-2.2.0 Question: Has anyone managed to to actually set an expiry date (or longer 900+ day expiry time) on user account passwords in IPA? From my testing, the default of 90 days is hard coded and the only way to extend it is via LDAP and the krbPasswordExpiration: attribute? cya Craig Hi Craig, You can set password policies for various user groups. In IPA is a dafault policy: global_policy. You can change password max life to 1000 days by following command: # ipa pwpolicy-mod --maxlife=1000 Or in Web UI: Policy/Password Policies/global_policy When user resets his password this policy will be applied on it. IPA CLI and Web UI don't have options to set user password's expiration date directly. Regards -- Petr Vobornik ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Default Expiry on IPA?
Petr Vobornik wrote: On 08/28/2012 09:44 AM, free...@noboost.org wrote: Hi All, System: Red Hat Enterprise Linux Server release 6.3 (Santiago) ipa-server-2.2.0 Question: Has anyone managed to to actually set an expiry date (or longer 900+ day expiry time) on user account passwords in IPA? From my testing, the default of 90 days is hard coded and the only way to extend it is via LDAP and the krbPasswordExpiration: attribute? cya Craig Hi Craig, You can set password policies for various user groups. In IPA is a dafault policy: global_policy. You can change password max life to 1000 days by following command: # ipa pwpolicy-mod --maxlife=1000 Or in Web UI: Policy/Password Policies/global_policy When user resets his password this policy will be applied on it. IPA CLI and Web UI don't have options to set user password's expiration date directly. I just want to stress one point here. The expiration date is set when a password is changed. Changing the policy does not affect current password expiration dates. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
