[Freeipa-users] krbPasswordExpiration field not updating?

Dan Scott danieljamesscott at gmail.com
Wed May 9 01:31:29 UTC 2012 

On Tue, May 8, 2012 at 8:45 PM,  <freeipa at noboost.org> wrote:
> On Tue, May 08, 2012 at 09:43:13AM -0400, Rob Crittenden wrote:
>> Dan Scott wrote:
>> >On Tue, May 8, 2012 at 1:55 AM,<freeipa at noboost.org>  wrote:
>> >>Hi,
>> >>
>> >>Spec:
>> >>Red Hat Enterprise Linux Server release 6.2 (Santiago)
>> >>  ipa-admintools-2.1.3-9.el6.x86_64
>> >>  ipa-client-2.1.3-9.el6.x86_64
>> >>  ipa-pki-ca-theme-9.0.3-7.el6.noarch
>> >>  ipa-pki-common-theme-9.0.3-7.el6.noarch
>> >>  ipa-python-2.1.3-9.el6.x86_64
>> >>  ipa-server-2.1.3-9.el6.x86_64
>> >>  ipa-server-selinux-2.1.3-9.el6.x86_64
>> >>
>> >>Issue:
>> >>Firstly I'll declare someone must have seen this by now?
>> >>
>> >>I've set the password policy to 99999;
>> >>[root at sysvm-ipa ~]# ipa pwpolicy-show
>> >>  Group: global_policy
>> >>  Max lifetime (days): 99999
>> >>  Min lifetime (hours): 1
>> >>  History size: 0
>> >>  Character classes: 0
>> >>  Min length: 6
>> >>  Max failures: 6
>> >>  Failure reset interval: 60
>> >>  Lockout duration: 600
>> >>
>> >>But old accounts are not getting the change at the ldap level, even
>> >>though IPA claims the expiry date has updated.
>> >>e.g.
>> >>[root at sysvm-ipa ~]# ipa pwpolicy-show --user=john
>> >>  Group: global_policy
>> >>  Max lifetime (days): 99999
>> >>  Min lifetime (hours): 1
>> >>  History size: 0
>> >>  Character classes: 0
>> >>  Min length: 6
>> >>  Max failures: 6
>> >>  Failure reset interval: 60
>> >>  Lockout duration: 600
>> >>
>> >>
>> >>ldapsearch (command chopped)
>> >># john, users, accounts, teratext.saic.com.au
>> >>dn: uid=john,cn=users,cn=accounts,dc=example,dc=com
>> >>krbPasswordExpiration: 20120506011529Z
>> >>
>> >>
>> >>So now when the user(s) logs in, I'm getting "password will expire in XX
>> >>days" messages.
>> >>
>> >>Any ideas?
>> >>Can I globally update this somehow, otherwise I'll be re-typing
>> >>passwords for a while.
>> >
>> >A password reset by admin always expires the password. I think once
>> >the user first changes their password it will have the lifetime that
>> >you specified.
>> >
>> >You can force the expiration date using an ldapmodify command:
>> >
>> >ldapmodify -x -D 'cn=directory manager' -W -h $IPA_SERVER -p 389 -vv
>> >-f update_krbpasswordexpiration.ldif
>> >
>> >Where the update_krbpasswordexpiration.ldif file contains:
>> >
>> >dn: uid=$USERNAME,cn=users,cn=accounts,dc=example,dc=com
>> >changetype: modify
>> >replace: krbpasswordexpiration
>> >krbpasswordexpiration: 20140202203734Z
>> >
>> >You could do this as admin if you have a ticket so that you don't have
>> >to enter the directory manager password.
>>
>> This is great, thanks Dan.
>>
>> BTW the equivalent command using a Kerberos ticket is:
>>
>> $ ldapmodify -Y GSSAPI -h $IPA_SERVER -p 389 -vv -f
>> update_krbpasswordexpiration.ldif
>>
>> rob
>>
> Thanks great advice, so just to clarify, do the rear numbers just
> represent hours, seconds etc?
> e.g. krbpasswordexpiration: 20150101203734Z
>     krbpasswordexpiration: 20150101 [20 37 34 ?] Z (20=hour,37=min,34=sec]?

Yep, and Z indicates GMT.

More information about the Freeipa-users mailing list