[Freeipa-users] krbPasswordExpiration field not updating?

freeipa at noboost.org freeipa at noboost.org
Wed May 9 00:45:20 UTC 2012 

On Tue, May 08, 2012 at 09:43:13AM -0400, Rob Crittenden wrote:
> Dan Scott wrote:
> >On Tue, May 8, 2012 at 1:55 AM,<freeipa at noboost.org>  wrote:
> >>Hi,
> >>
> >>Spec:
> >>Red Hat Enterprise Linux Server release 6.2 (Santiago)
> >>  ipa-admintools-2.1.3-9.el6.x86_64
> >>  ipa-client-2.1.3-9.el6.x86_64
> >>  ipa-pki-ca-theme-9.0.3-7.el6.noarch
> >>  ipa-pki-common-theme-9.0.3-7.el6.noarch
> >>  ipa-python-2.1.3-9.el6.x86_64
> >>  ipa-server-2.1.3-9.el6.x86_64
> >>  ipa-server-selinux-2.1.3-9.el6.x86_64
> >>
> >>Issue:
> >>Firstly I'll declare someone must have seen this by now?
> >>
> >>I've set the password policy to 99999;
> >>[root at sysvm-ipa ~]# ipa pwpolicy-show
> >>  Group: global_policy
> >>  Max lifetime (days): 99999
> >>  Min lifetime (hours): 1
> >>  History size: 0
> >>  Character classes: 0
> >>  Min length: 6
> >>  Max failures: 6
> >>  Failure reset interval: 60
> >>  Lockout duration: 600
> >>
> >>But old accounts are not getting the change at the ldap level, even
> >>though IPA claims the expiry date has updated.
> >>e.g.
> >>[root at sysvm-ipa ~]# ipa pwpolicy-show --user=john
> >>  Group: global_policy
> >>  Max lifetime (days): 99999
> >>  Min lifetime (hours): 1
> >>  History size: 0
> >>  Character classes: 0
> >>  Min length: 6
> >>  Max failures: 6
> >>  Failure reset interval: 60
> >>  Lockout duration: 600
> >>
> >>
> >>ldapsearch (command chopped)
> >># john, users, accounts, teratext.saic.com.au
> >>dn: uid=john,cn=users,cn=accounts,dc=example,dc=com
> >>krbPasswordExpiration: 20120506011529Z
> >>
> >>
> >>So now when the user(s) logs in, I'm getting "password will expire in XX
> >>days" messages.
> >>
> >>Any ideas?
> >>Can I globally update this somehow, otherwise I'll be re-typing
> >>passwords for a while.
> >
> >A password reset by admin always expires the password. I think once
> >the user first changes their password it will have the lifetime that
> >you specified.
> >
> >You can force the expiration date using an ldapmodify command:
> >
> >ldapmodify -x -D 'cn=directory manager' -W -h $IPA_SERVER -p 389 -vv
> >-f update_krbpasswordexpiration.ldif
> >
> >Where the update_krbpasswordexpiration.ldif file contains:
> >
> >dn: uid=$USERNAME,cn=users,cn=accounts,dc=example,dc=com
> >changetype: modify
> >replace: krbpasswordexpiration
> >krbpasswordexpiration: 20140202203734Z
> >
> >You could do this as admin if you have a ticket so that you don't have
> >to enter the directory manager password.
> 
> This is great, thanks Dan.
> 
> BTW the equivalent command using a Kerberos ticket is:
> 
> $ ldapmodify -Y GSSAPI -h $IPA_SERVER -p 389 -vv -f
> update_krbpasswordexpiration.ldif
> 
> rob
> 
Thanks great advice, so just to clarify, do the rear numbers just
represent hours, seconds etc?
e.g. krbpasswordexpiration: 20150101203734Z
     krbpasswordexpiration: 20150101 [20 37 34 ?] Z (20=hour,37=min,34=sec]?

cya

Craig

More information about the Freeipa-users mailing list