On 04/08/15 17:01, Robert Locke wrote:
Hey folks,
I have been using the following to adjust the Password Expiration of
accounts in IdM/IPA:
echo "$ADMIN_PASS" | kinit admin
echo -e "dn:
uid=rheluseri,cn=users,cn=accounts,dc=example,dc=com\nchangetype: modify
\nreplace: krbPasswordExpiration\nkrbPasswordExpiration: 20300101000000Z
\n" | ldapmodify -x -D 'cn=Directory Manager' -w $ADMIN_PASS
This has worked nicely for me.
My "new" problem is that the admin account itself expires after 90 days.
I thought since ldapsearch does show the admin account, that simply
substituting the uid might work.
echo -e "dn: uid=admin,cn=users,cn=accounts,dc=example,dc=com
\nchangetype: modify\nreplace: krbPasswordExpiration
\nkrbPasswordExpiration: 20300101000000Z\n" | ldapmodify -x -D
'cn=Directory Manager' -w $ADMIN_PASS
My attempts to adjust the admin account in this similar fashion have
been not surprisingly unsuccessful.
Suggestions/pointers?
--Rob
Hello,
I just tried to set krbPasswordExpiration attribute for admin and it
worked as expected:
$ ipa user-show admin --all
dn: uid=admin,cn=users,cn=accounts,dc=example,dc=com
User login: admin
...
krbpasswordexpiration: 20200101000000Z
...
$ echo -e "dn:
uid=admin,cn=users,cn=accounts,dc=example,dc=com\nchangetype:
modify\nreplace: krbPasswordExpiration\nkrbPasswordExpiration:
20300101000000Z\n" | ldapmodify -x -D 'cn=Directory Manager' -w $DM_PASS
modifying entry "uid=admin,cn=users,cn=accounts,dc=example,dc=com"
$ ipa user-show admin --all
dn: uid=admin,cn=users,cn=accounts,dc=example,dc=com
User login: admin
...
krbpasswordexpiration: 20300101000000Z
...
Could you provide more information about what is failing? Only thing
that comes to my mind is that you're using $ADMIN_PASS variable where
Directory Manager password is required but I know it's just name of the
variable.
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project