[Freeipa-users] How to unset a user's kerberos principal expiration date?
Roderick Johnstone
rmj at ast.cam.ac.uk
Fri Jul 1 12:33:13 UTC 2016
On 30/06/16 14:14, Rob Crittenden wrote:
> David Kupka wrote:
>> On 29/06/16 19:05, Roderick Johnstone wrote:
>>> Hi
>>>
>>> If I set a kerberos principal for a user to expire on a given date
>>> using:
>>> ipa user-mod <user> --principal-expiration=DATE
>>> is it possible to later remove this expiration date rather than just set
>>> it to a time far in the future?
>>>
>>> Thanks
>>>
>>> Roderick Johnstone
>>>
>>
>> Hello Roderick,
>> AFAIK the only way to remove principal expiration at the time is remove
>> krbPrincipalExpiration attribute from the user entry in DS.
>>
>> $ kinit admin
>> Password for admin at EXAMPLE.ORG
>> $ ldapmodify -Y GSSAPI
>> SASL/GSSAPI authentication started
>> SASL username: admin at EXAMPLE.ORG
>> SASL SSF: 56
>> SASL data security layer installed.
>> dn:uid=tuser,cn=users,cn=accounts,dc=example,dc=org
>> changetype: modify
>> delete: krbprincipalexpiration
>> modifying entry "uid=tuser,cn=users,cn=accounts,dc=example,dc=org"
>>
>> I think that it makes sense to expose this in API. Could you please file
>> RFE (https://fedorahosted.org/freeipa/newticket)?
>>
>
> You just need to pass in a blank value:
>
> $ ipa user-mod <user> --principal-expiration=
>
> rob
Thanks both.
I can indeed confirm that setting --principal-expiration= does in fact
remove the kerberos expiration date.
Roderick
More information about the Freeipa-users
mailing list