[Freeipa-users] Default Expiry on IPA?
Rob Crittenden
rcritten at redhat.com
Tue Aug 28 12:56:56 UTC 2012
Petr Vobornik wrote:
> On 08/28/2012 09:44 AM, freeipa at noboost.org wrote:
>> Hi All,
>>
>> System:
>> Red Hat Enterprise Linux Server release 6.3 (Santiago)
>> ipa-server-2.2.0
>>
>>
>> Question:
>> Has anyone managed to to actually set an expiry date (or longer 900+
>> day expiry
>> time) on user account passwords in IPA?
>>
>>> From my testing, the default of 90 days is hard coded and the only way
>> to extend it is via LDAP and the "krbPasswordExpiration:" attribute?
>>
>> cya
>>
>> Craig
>>
>
> Hi Craig,
>
> You can set password policies for various user groups. In IPA is a
> dafault policy: global_policy. You can change password max life to 1000
> days by following command:
>
> # ipa pwpolicy-mod --maxlife=1000
>
> Or in Web UI: Policy/Password Policies/global_policy
>
> When user resets his password this policy will be applied on it.
>
> IPA CLI and Web UI don't have options to set user password's expiration
> date directly.
>
I just want to stress one point here. The expiration date is set when a
password is changed. Changing the policy does not affect current
password expiration dates.
rob
More information about the Freeipa-users
mailing list