[Freeipa-users] Password Expiration Grace Limit
Simo Sorce
simo at redhat.com
Fri Sep 14 19:02:09 UTC 2012
On Fri, 2012-09-14 at 14:50 -0400, Dmitri Pal wrote:
> On 09/14/2012 02:33 PM, Ott, Dennis wrote:
> > There seems to be nothing in the documentation about a user being
> > able to initiate a password change dialogue after their password has
> > expired, yet it seems that one is able to do just that. There is a
> > value in the ldap store, passwordGraceLimit, which is initialized to
> > zero. I have modified that value but it seems to have no effect.
> >
> >
> >
> > I would like to limit this ability to just a few days, or
> > alternatively, completely lock out the account once the password has
> > expired.
> >
> >
> >
> > Does anyone have any insight as to how to do this? If not, is it
> > planned for a future release?
> >
> >
> >
> > I suppose I could look at a script running daily that would lock the
> > account if the user’s password has expired in the last X hours, but
> > I was hoping for something builtin.
> >
> >
> >
> > Any help is appreciated.
> >
> >
> >
> >
> AFAIR this is the first request of this kind. We allow to change the
> password even after expiration. The main reason is that newly created
> accounts need to change passwords so they are marked as immediately
> expired. But it might take some time for user to actually log into the
> system for the first time this is why we never thought about the use
> case described. So I suspect we do not have any grace period enforced.
>
> It might be a bug.
>
> Simo, what do you think ?
Sounds like material for a Feature Request.
I think setting a grace period is a good idea, and have the nice side
effect of automatically locking new accounts if the user never use them.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list