[Freeipa-users] User Migrated from LDAP not able to change the password
Rob Crittenden
rcritten at redhat.com
Tue Feb 12 03:21:50 UTC 2013
Dmitri Pal wrote:
> On 02/10/2013 11:22 PM, Rajnesh Kumar Siwal wrote:
>> The details are as follows:-
>>
>> [root at ipa1 ~]# ipa pwpolicy-show
>> Group: global_policy
>> Max lifetime (days): 90
>> Min lifetime (hours): 1
>> History size: 0
>> Character classes: 0
>> Min length: 12
>> Max failures: 6
>> Failure reset interval: 60
>> Lockout duration: 600
>> [root at ipa1 ~]# ipa user-show siwal --all --raw
>> dn: uid=siwal,cn=users,cn=accounts,dc=xyz,dc=dmz
>> uid: siwal
>> sn: Kumar
>> cn: siwal
>> homedirectory: /home/siwal
>> loginshell: /bin/bash
>> krbprincipalname: siwal at XYZ.DMZ
>> uidnumber: 522
>> gidnumber: 522
>> nsaccountlock: False
>> has_password: True
>> has_keytab: True
>> ipauniqueid: 65775332-712f-11e2-b3cc-000c298a58a4
>> krblastpwdchange: 20130208035343Z
>> krblastsuccessfulauth: 20130208035929Z
>> krbpasswordexpiration: 20130208035343Z
>> memberof: cn=ipausers,cn=groups,cn=accounts,dc=xyz,dc=dmz
>> memberofindirect: cn=software,cn=groups,cn=accounts,dc=xyz,dc=dmz
>> objectclass: krbticketpolicyaux
>> objectclass: ipaobject
>> objectclass: organizationalperson
>> objectclass: top
>> objectclass: ipasshuser
>> objectclass: inetorgperson
>> objectclass: person
>> objectclass: inetuser
>> objectclass: krbprincipalaux
>> objectclass: shadowaccount
>> objectclass: posixaccount
>> objectclass: ipaSshGroupOfPubKeys
>> shadowlastchange: 14879
>> shadowmax: 99999
>> shadowmin: 0
>> shadowwarning: 7
>>
>>
> Shadow? Is this normal for IPA accounts? I do not remember seeing it before.
>
They have added the shadowAccount objectclass. I also don't see a
password policy reference in this user.
Does ipa pwpolicy-show --user=siwal return anything?
You might check /var/lig/dirsrv/slapd-YOUR_REALM/errors for any issues.
And note that there is a minimum lifetime on passwords so they can't be
changed too quickly.
rob
More information about the Freeipa-users
mailing list