[Freeipa-users] Password Expiration Grace Limit
Rob Crittenden
rcritten at redhat.com
Fri Sep 14 18:52:28 UTC 2012
Ott, Dennis wrote:
> There seems to be nothing in the documentation about a user being able
> to initiate a password change dialogue after their password has expired,
> yet it seems that one is able to do just that. There is a value in the
> ldap store, passwordGraceLimit, which is initialized to zero. I have
> modified that value but it seems to have no effect.
This value is not used by IPA.
I don't believe we have the ability to do this right now. As you
suggest, some automation may be required to find expired passwords and
lock them out.
> I would like to limit this ability to just a few days, or alternatively,
> completely lock out the account once the password has expired.
This would be difficult because administratively-reset accounts have
their passwords expired to force users to set a new one (so that only
the end-user knows their password). This would effectively lock everyone
out.
>
> Does anyone have any insight as to how to do this? If not, is it planned
> for a future release?
No plans for this AFAIK. Feel free to file an enhancement request ticket
on our Trac site, https://fedorahosted.org/freeipa/
> I suppose I could look at a script running daily that would lock the
> account if the user’s password has expired in the last X hours, but I
> was hoping for something builtin.
regards
rob
More information about the Freeipa-users
mailing list