[Freeipa-users] krbPasswordExpiration field not updating?
freeipa at noboost.org
freeipa at noboost.org
Tue May 8 05:55:45 UTC 2012
Hi,
Spec:
Red Hat Enterprise Linux Server release 6.2 (Santiago)
ipa-admintools-2.1.3-9.el6.x86_64
ipa-client-2.1.3-9.el6.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
ipa-pki-common-theme-9.0.3-7.el6.noarch
ipa-python-2.1.3-9.el6.x86_64
ipa-server-2.1.3-9.el6.x86_64
ipa-server-selinux-2.1.3-9.el6.x86_64
Issue:
Firstly I'll declare someone must have seen this by now?
I've set the password policy to 99999;
[root at sysvm-ipa ~]# ipa pwpolicy-show
Group: global_policy
Max lifetime (days): 99999
Min lifetime (hours): 1
History size: 0
Character classes: 0
Min length: 6
Max failures: 6
Failure reset interval: 60
Lockout duration: 600
But old accounts are not getting the change at the ldap level, even
though IPA claims the expiry date has updated.
e.g.
[root at sysvm-ipa ~]# ipa pwpolicy-show --user=john
Group: global_policy
Max lifetime (days): 99999
Min lifetime (hours): 1
History size: 0
Character classes: 0
Min length: 6
Max failures: 6
Failure reset interval: 60
Lockout duration: 600
ldapsearch (command chopped)
# john, users, accounts, teratext.saic.com.au
dn: uid=john,cn=users,cn=accounts,dc=example,dc=com
krbPasswordExpiration: 20120506011529Z
So now when the user(s) logs in, I'm getting "password will expire in XX
days" messages.
Any ideas?
Can I globally update this somehow, otherwise I'll be re-typing
passwords for a while.
cya
Craig
More information about the Freeipa-users
mailing list