[Freeipa-users] non-expiring password policy (or as close as I can come)

Rob Crittenden rcritten at redhat.com
Thu Jan 24 22:12:59 UTC 2013 

Steven Jones wrote:
> Hi,
>
> That could explain why 9999 hasnt worked for my service accounts.
>
> Is this fixed in 6.4?

No, we are still working on the fix on the freeipa-devel list.

rob

>
>
> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University, Wellington, NZ
>
> 0064 4 463 6272
>
> ________________________________________
> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Rob Crittenden [rcritten at redhat.com]
> Sent: Friday, 25 January 2013 11:03 a.m.
> To: KodaK
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] non-expiring password policy (or as close as I can come)
>
> KodaK wrote:
>> I have a need to have certain mission critical application accounts
>> non-expiring (people don't log in directly, but if the accounts expire
>> it could stop production jobs.)
>>
>> I've set "Max lifetime (days)" to 99999 in the web interface, but
>> here's what I see when I do "ipa pwpolicy show":
>>
>>     Group: application-accounts
>>     Max lifetime (days): 8639913600
>>     Min lifetime (hours): 0
>>     History size: 0
>>     Character classes: 3
>>     Min length: 8
>>     Priority: 0
>>     Max failures: 0
>>     Failure reset interval: 0
>>     Lockout duration: 0
>>
>> I have a user that is a member of the application-accounts group and
>> they reset their password yesterday, but their password is set to
>> expire in three months:
>>
>> krbpasswordexpiration: 20130423220808Z
>> krbpwdpolicyreference: cn=application-accounts
>>
>> Have I hit some maximum and I'm confusing IPA?  Or do I completely
>> misunderstand these entries?
>>
>> I also have a case open with RH on this, but I haven't heard anything
>> back yet.  If I get this solved through them I'll be sure to reply
>> with results.
>
> It is a 32-bit time problem.
>
> I'd set the maxlife no higher than 5000 for now.
>
> rob
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>

More information about the Freeipa-users mailing list