[Freeipa-users] krbPasswordExpiration field not updating?

Petr Spacek pspacek at redhat.com
Thu May 10 13:50:20 UTC 2012 

On 05/10/2012 03:11 PM, Simo Sorce wrote:
> On Thu, 2012-05-10 at 03:58 +0400, freeipa at noboost.org wrote:
>> On Wed, May 09, 2012 at 01:21:39PM +0200, Petr Spacek wrote:
>>> On 05/09/2012 03:31 AM, Dan Scott wrote:
>>>> On Tue, May 8, 2012 at 8:45 PM,<freeipa at noboost.org>   wrote:
>>>>> On Tue, May 08, 2012 at 09:43:13AM -0400, Rob Crittenden wrote:
>>>>>> Dan Scott wrote:
>>>>>>> On Tue, May 8, 2012 at 1:55 AM,<freeipa at noboost.org>     wrote:
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> Spec:
>>>>>>>> Red Hat Enterprise Linux Server release 6.2 (Santiago)
>>>>>>>>   ipa-admintools-2.1.3-9.el6.x86_64
>>>>>>>>   ipa-client-2.1.3-9.el6.x86_64
>>>>>>>>   ipa-pki-ca-theme-9.0.3-7.el6.noarch
>>>>>>>>   ipa-pki-common-theme-9.0.3-7.el6.noarch
>>>>>>>>   ipa-python-2.1.3-9.el6.x86_64
>>>>>>>>   ipa-server-2.1.3-9.el6.x86_64
>>>>>>>>   ipa-server-selinux-2.1.3-9.el6.x86_64
>>>>>>>>
>>>>>>>> Issue:
>>>>>>>> Firstly I'll declare someone must have seen this by now?
>>>>>>>>
>>>>>>>> I've set the password policy to 99999;
>>>>>>>> [root at sysvm-ipa ~]# ipa pwpolicy-show
>>>>>>>>   Group: global_policy
>>>>>>>>   Max lifetime (days): 99999
>>>>>>>>   Min lifetime (hours): 1
>>>>>>>>   History size: 0
>>>>>>>>   Character classes: 0
>>>>>>>>   Min length: 6
>>>>>>>>   Max failures: 6
>>>>>>>>   Failure reset interval: 60
>>>>>>>>   Lockout duration: 600
>>>>>>>>
>>>>>>>> But old accounts are not getting the change at the ldap level, even
>>>>>>>> though IPA claims the expiry date has updated.
>>>>>>>> e.g.
>>>>>>>> [root at sysvm-ipa ~]# ipa pwpolicy-show --user=john
>>>>>>>>   Group: global_policy
>>>>>>>>   Max lifetime (days): 99999
>>>>>>>>   Min lifetime (hours): 1
>>>>>>>>   History size: 0
>>>>>>>>   Character classes: 0
>>>>>>>>   Min length: 6
>>>>>>>>   Max failures: 6
>>>>>>>>   Failure reset interval: 60
>>>>>>>>   Lockout duration: 600
>>>>>>>>
>>>>>>>>
>>>>>>>> ldapsearch (command chopped)
>>>>>>>> # john, users, accounts, teratext.saic.com.au
>>>>>>>> dn: uid=john,cn=users,cn=accounts,dc=example,dc=com
>>>>>>>> krbPasswordExpiration: 20120506011529Z
>>>>>>>>
>>>>>>>>
>>>>>>>> So now when the user(s) logs in, I'm getting "password will expire in XX
>>>>>>>> days" messages.
>>>>>>>>
>>>>>>>> Any ideas?
>>>>>>>> Can I globally update this somehow, otherwise I'll be re-typing
>>>>>>>> passwords for a while.
>>>>>>>
>>>>>>> A password reset by admin always expires the password. I think once
>>>>>>> the user first changes their password it will have the lifetime that
>>>>>>> you specified.
>>>>>>>
>>>>>>> You can force the expiration date using an ldapmodify command:
>>>>>>>
>>>>>>> ldapmodify -x -D 'cn=directory manager' -W -h $IPA_SERVER -p 389 -vv
>>>>>>> -f update_krbpasswordexpiration.ldif
>>>>>>>
>>>>>>> Where the update_krbpasswordexpiration.ldif file contains:
>>>>>>>
>>>>>>> dn: uid=$USERNAME,cn=users,cn=accounts,dc=example,dc=com
>>>>>>> changetype: modify
>>>>>>> replace: krbpasswordexpiration
>>>>>>> krbpasswordexpiration: 20140202203734Z
>>>>>>>
>>>>>>> You could do this as admin if you have a ticket so that you don't have
>>>>>>> to enter the directory manager password.
>>>>>>
>>>>>> This is great, thanks Dan.
>>>>>>
>>>>>> BTW the equivalent command using a Kerberos ticket is:
>>>>>>
>>>>>> $ ldapmodify -Y GSSAPI -h $IPA_SERVER -p 389 -vv -f
>>>>>> update_krbpasswordexpiration.ldif
>>>>>>
>>>>>> rob
>>>>>>
>>>>> Thanks great advice, so just to clarify, do the rear numbers just
>>>>> represent hours, seconds etc?
>>>>> e.g. krbpasswordexpiration: 20150101203734Z
>>>>>      krbpasswordexpiration: 20150101 [20 37 34 ?] Z (20=hour,37=min,34=sec]?
>>>>
>>>> Yep, and Z indicates GMT.
>>>
>>> Question is:
>>> 1) Should we document that (and provide a hint in `ipa pwpolicy` output)?
>>>   OR
>>> 2) Should ipa pwpolicy do update for all affected principals in
>>> LDAP? Just to prevent confusion?
>>>
>>> I like variant 2, because variant 1 seems to be confusing to me.
>>>
>>> Craig, what is user opinion?
>>>
>>> Petr^2 Spacek
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>> The thing that threw me was that "Max lifetime (days)" is not the actual expiry date.
>> Once I realised that there was an ldap "krbPasswordExpiration" attribute which I can
>> modify directly, then I fixed the issue for the whole company in about 10min :)
>>
>> Documentation (my opinion):
>> * Full meaning for this attribute krbPasswordExpiration
>> * The difference between Max lifetime (days)&  krbPasswordExpiration
>> * How to change ldap expiration entries.
>
> It would be nice if you could open a ticket so we can track this RFE and
> not forget about it.

Done 2 hours ago, I forget to report it :-)

https://fedorahosted.org/freeipa/ticket/2745

>
> Thanks.
> Simo.
>

More information about the Freeipa-users mailing list