<div dir="ltr"><div><div><div><div>@Martin<br></div>1) Yes, I did executed 8.5.3 from the wiki. Is this is reason for the systems behaviour? if so why doesnt't it applies for both admins? And it doesn't explain the 90 days, because it is not set in the tutorial. Unless some params are left out of the wiki for some reason. I'm using windows LDAP admin tool to browse the LDAP tree, but couln't find this param/value so I wasn't sure if the new setting is being used. I did get a confirmation while executing the change.<br> <br>@Dimitri<br></div><div>1) Yes, there are no problems with changing your own password. There is only something strange with the expiration lifetime when you are changing other users (admin or non-admin) password. The expiration lifetime of a password reset should be equal to BOTH admins like expired immediately, 90 days or the value that is set in the password policy. I prefer the value in a password policy, because this way I have it more under control.<br> </div><div><br></div><div>@Martin & @Will<br></div>1b) Ok, I'm afraid you may say that. Most free clients like gmail, hotmail, ebay, paypal doesn't require a password reset from time to time (yes they may have set a very high value). So I was wondering why it isn't possible. I know it's bad for security, but still.<br> </div></div><div class="gmail_extra"><br><br><br><br><div class="gmail_quote">On Thu, Aug 28, 2014 at 6:18 PM, Dmitri Pal <span dir="ltr"><<a href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>></span> wrote:<br> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <div text="#000000" bgcolor="#FFFFFF"><div class=""> <div>On 08/28/2014 04:18 PM, Zip Ly wrote:<br> </div> </div><div class=""><blockquote type="cite"> <div dir="ltr"> <div>Hi,</div> <div> </div> <div> </div> <div><span>I'm trying to change a user password without reset.</span></div> <div><span>If I use the (primary) admin to change the password then it doesn't need a password reset, because the expire lifetime is 90 days.</span></div> <div><span></span> </div> <div><span>But if I create a second admin, then every password change made by the second admin needs a password reset, because the password is expired immediately.</span></div> <div><span></span> </div> <span> <div><span>1a) Does anyone knows how I can change the policy/privilege of the second admin so every password change doesn't require a reset? 1b) and is it possible to set a different expire lifetime like zero for unlimited lifetime?</span></div> </span></div> </blockquote> <br></div> You are probably changing password for the admin himself.<br> Isn't there a different flow when admin changes his own password?<div class=""><br> <br> <blockquote type="cite"> <div dir="ltr"><span> <div> </div> <div> <div><span>It's almost the same bugreport as <a href="https://fedorahosted.org/freeipa/ticket/2795" target="_blank">https://fedorahosted.org/freeipa/ticket/2795</a> but the difference is there should be 2 policies: one for changing your own password and another for resetting other users password.</span></div> </div> <div> </div> <div>2) Are there more differences in policies between the first (primary) admin and the second admin you just created?</div> <div> </div> <div> </div> <div>Kind regards,</div> <div> </div> <div>Zip</div> <div> </div> </span> <p> </p> </div> <br> <fieldset></fieldset> <br> </blockquote> <br> <br> </div><span class="HOEnZb"><font color="#888888"><pre cols="72">-- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc.</pre> </font></span></div> <br>--<br> Manage your subscription for the Freeipa-users mailing list:<br> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br> Go To <a href="http://freeipa.org" target="_blank">http://freeipa.org</a> for more info on the project<br></blockquote></div><br></div></div>