[Freeipa-users] krbPasswordExpiration field not updating?

Wed May 9 12:19:59 UTC 2012

On Wed, 2012-05-09 at 13:21 +0200, Petr Spacek wrote:
> On 05/09/2012 03:31 AM, Dan Scott wrote:
> > On Tue, May 8, 2012 at 8:45 PM,<freeipa at noboost.org>  wrote:
> >> On Tue, May 08, 2012 at 09:43:13AM -0400, Rob Crittenden wrote:
> >>> Dan Scott wrote:
> >>>> On Tue, May 8, 2012 at 1:55 AM,<freeipa at noboost.org>    wrote:
> >>>>> Hi,
> >>>>>
> >>>>> Spec:
> >>>>> Red Hat Enterprise Linux Server release 6.2 (Santiago)
> >>>>>   ipa-admintools-2.1.3-9.el6.x86_64
> >>>>>   ipa-client-2.1.3-9.el6.x86_64
> >>>>>   ipa-pki-ca-theme-9.0.3-7.el6.noarch
> >>>>>   ipa-pki-common-theme-9.0.3-7.el6.noarch
> >>>>>   ipa-python-2.1.3-9.el6.x86_64
> >>>>>   ipa-server-2.1.3-9.el6.x86_64
> >>>>>   ipa-server-selinux-2.1.3-9.el6.x86_64
> >>>>>
> >>>>> Issue:
> >>>>> Firstly I'll declare someone must have seen this by now?
> >>>>>
> >>>>> I've set the password policy to 99999;
> >>>>> [root at sysvm-ipa ~]# ipa pwpolicy-show
> >>>>>   Group: global_policy
> >>>>>   Max lifetime (days): 99999
> >>>>>   Min lifetime (hours): 1
> >>>>>   History size: 0
> >>>>>   Character classes: 0
> >>>>>   Min length: 6
> >>>>>   Max failures: 6
> >>>>>   Failure reset interval: 60
> >>>>>   Lockout duration: 600
> >>>>>
> >>>>> But old accounts are not getting the change at the ldap level, even
> >>>>> though IPA claims the expiry date has updated.
> >>>>> e.g.
> >>>>> [root at sysvm-ipa ~]# ipa pwpolicy-show --user=john
> >>>>>   Group: global_policy
> >>>>>   Max lifetime (days): 99999
> >>>>>   Min lifetime (hours): 1
> >>>>>   History size: 0
> >>>>>   Character classes: 0
> >>>>>   Min length: 6
> >>>>>   Max failures: 6
> >>>>>   Failure reset interval: 60
> >>>>>   Lockout duration: 600
> >>>>>
> >>>>>
> >>>>> ldapsearch (command chopped)
> >>>>> # john, users, accounts, teratext.saic.com.au
> >>>>> dn: uid=john,cn=users,cn=accounts,dc=example,dc=com
> >>>>> krbPasswordExpiration: 20120506011529Z
> >>>>>
> >>>>>
> >>>>> So now when the user(s) logs in, I'm getting "password will expire in XX
> >>>>> days" messages.
> >>>>>
> >>>>> Any ideas?
> >>>>> Can I globally update this somehow, otherwise I'll be re-typing
> >>>>> passwords for a while.
> >>>>
> >>>> A password reset by admin always expires the password. I think once
> >>>> the user first changes their password it will have the lifetime that
> >>>> you specified.
> >>>>
> >>>> You can force the expiration date using an ldapmodify command:
> >>>>
> >>>> ldapmodify -x -D 'cn=directory manager' -W -h $IPA_SERVER -p 389 -vv
> >>>> -f update_krbpasswordexpiration.ldif
> >>>>
> >>>> Where the update_krbpasswordexpiration.ldif file contains:
> >>>>
> >>>> dn: uid=$USERNAME,cn=users,cn=accounts,dc=example,dc=com
> >>>> changetype: modify
> >>>> replace: krbpasswordexpiration
> >>>> krbpasswordexpiration: 20140202203734Z
> >>>>
> >>>> You could do this as admin if you have a ticket so that you don't have
> >>>> to enter the directory manager password.
> >>>
> >>> This is great, thanks Dan.
> >>>
> >>> BTW the equivalent command using a Kerberos ticket is:
> >>>
> >>> $ ldapmodify -Y GSSAPI -h $IPA_SERVER -p 389 -vv -f
> >>> update_krbpasswordexpiration.ldif
> >>>
> >>> rob
> >>>
> >> Thanks great advice, so just to clarify, do the rear numbers just
> >> represent hours, seconds etc?
> >> e.g. krbpasswordexpiration: 20150101203734Z
> >>      krbpasswordexpiration: 20150101 [20 37 34 ?] Z (20=hour,37=min,34=sec]?
> >
> > Yep, and Z indicates GMT.
> 
> Question is:
> 1) Should we document that (and provide a hint in `ipa pwpolicy` output)?

Yes.

> 2) Should ipa pwpolicy do update for all affected principals in LDAP? Just to 
> prevent confusion?

No.

> I like variant 2, because variant 1 seems to be confusing to me.

May not be what the user wants to do, and would cause a lot of changes
all over the directory and a lot of replication.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York