[Freeipa-users] Password expiry when account provisioned/updated via JSON RPC
Brian Smith
brs at usf.edu
Mon Mar 4 18:41:23 UTC 2013
Thanks for your response, and sorry for my late response. I'm on RHEL6,
using the packages from the distribution
repository, ipa-server-2.2.0-17.el6_3.1.x86_64
My pwpolicy is set as such (in testing):
$ ipa pwpolicy-show --all
dn: cn=global_policy,cn=rc.usf.edu,cn=kerberos,dc=rc,dc=usf,dc=edu
Group: global_policy
Max lifetime (days): 365
Min lifetime (hours): 1
History size: 0
Character classes: 0
Min length: 8
Max failures: 10
Failure reset interval: 60
Lockout duration: 600
objectclass: top, nsContainer, krbPwdPolicy
If I create an account and set the password using the following JSON
string, against $server/ipa/json, say today,
{
"method":"user_add",
"params":[ [],
{
"uid":"it-rc-test-faculty",
"homedirectory":"/home/i/it-rc-test-faculty",
"userpassword":"MyPasswordInTheClear",
"givenname":"RC TEST - Faculty",
"sn":"Service_Account"
}]
}
I get a password expiry time like so:
$ ipa user-show --all it-rc-test-faculty | grep krbpasswordexpiration
krbpasswordexpiration: 20130602163523Z
That's clearly not one year into the future, but more like 90 days.
Is there something else I'm missing or are we looking at a bug?
Many thanks,
-Brian
On Tue, Feb 26, 2013 at 3:22 AM, Martin Kosek <mkosek at redhat.com> wrote:
> On 02/25/2013 04:38 PM, Brian Smith wrote:
> > It seems that regardless of the global password expiry setting, that
> setting a
> > password via the methods
> >
> > user-add
> > passwd
> >
> > i will always have a password that expires in 90 days. I followed the
> > instructions here http://freeipa.org/page/PasswordSynchronization
> >
> > to avoid the immediate expiry, but I need at least 180 days for my
> > configuration to work.
> >
> > Any help would be appreciated!
> >
> > --
> > Brian Smith
> > Assistant Director
> > Research Computing, University of South Florida
> > 4202 E. Fowler Ave. SVC4010
> > Office Phone: +1 813 974-1467
> > Organization URL: http://rc.usf.edu
> >
>
> Hello Brian,
>
> Updating maximum password expiration time with "ipa pwpolicy-mod" affects
> only
> new passwords, i.e. password that you already changed will have the old
> lifetime.
>
> When I tested this on Fedora 18, password change worked for me:
>
> # ipa pwpolicy-mod --maxlife 180
> Group: global_policy
> Max lifetime (days): 180
> Min lifetime (hours): 1
> History size: 0
> Character classes: 0
> Min length: 8
> Max failures: 6
> Failure reset interval: 60
> Lockout duration: 600
>
> # ipa user-add --first=Foo --last=Bar fbar
> -----------------
> Added user "fbar"
> -----------------
> User login: fbar
> First name: Foo
> Last name: Bar
> Full name: Foo Bar
> Display name: Foo Bar
> Initials: FB
> Home directory: /home/fbar
> GECOS field: Foo Bar
> Login shell: /bin/sh
> Kerberos principal: fbar at EXAMPLE.COM
> Email address: fbar at example.com
> UID: 1758200001
> GID: 1758200001
> Password: False
> Member of groups: ipausers
> Kerberos keys available: False
> # ipa passwd fbar
> New Password:
> Enter New Password again to verify:
> ---------------------------------------
> Changed password for "fbar at EXAMPLE.COM"
> ---------------------------------------
>
> $ ssh fbar at ipa.client.fqdn
> fbar at ipa.client.fqdn's password:
> Password expired. Change your password now.
> Last login: Tue Feb 26 09:16:39 2013 from 10.0.0.1
> WARNING: Your password has expired.
> You must change your password now and login again!
> Changing password for user fbar.
> Current Password:
> New password:
> Retype new password:
> Your password will expire in 180 day(s). <<<<<<<<<<<<<<<
> passwd: all authentication tokens updated successfully.
> Connection to ipa.client.fqdn closed.
>
> Does this usecase work for you or are you hitting a bug?
>
>
> As for the warning about expiring password, this is a bug in sssd component
> which was already fixed upstream:
>
> https://fedorahosted.org/sssd/ticket/1808
>
> Martin
>
--
Brian Smith
Assistant Director
Research Computing, University of South Florida
4202 E. Fowler Ave. SVC4010
Office Phone: +1 813 974-1467
Organization URL: http://rc.usf.edu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130304/6d0d6811/attachment.htm>
More information about the Freeipa-users
mailing list