[Freeipa-users] Password expiry when account provisioned/updated via JSON RPC

Rob Crittenden rcritten at redhat.com
Mon Mar 4 19:40:53 UTC 2013 

Brian Smith wrote:
> Thanks for your response, and sorry for my late response.  I'm on RHEL6,
> using the packages from the distribution
> repository, ipa-server-2.2.0-17.el6_3.1.x86_64
>
> My pwpolicy is set as such (in testing):
>
> $ ipa pwpolicy-show --all
>    dn: cn=global_policy,cn=rc.usf.edu
> <http://rc.usf.edu>,cn=kerberos,dc=rc,dc=usf,dc=edu
>    Group: global_policy
>    Max lifetime (days): 365
>    Min lifetime (hours): 1
>    History size: 0
>    Character classes: 0
>    Min length: 8
>    Max failures: 10
>    Failure reset interval: 60
>    Lockout duration: 600
>    objectclass: top, nsContainer, krbPwdPolicy
>
>
> If I create an account and set the password using the following JSON
> string, against $server/ipa/json, say today,
>
> {
>   "method":"user_add",
>   "params":[ [],
>     {
>       "uid":"it-rc-test-faculty",
>       "homedirectory":"/home/i/it-rc-test-faculty",
>       "userpassword":"MyPasswordInTheClear",
>       "givenname":"RC TEST - Faculty",
>       "sn":"Service_Account"
>     }]
> }
>
> I get a password expiry time like so:
>
> $ ipa user-show --all it-rc-test-faculty | grep krbpasswordexpiration
> krbpasswordexpiration: 20130602163523Z
>
> That's clearly not one year into the future, but more like 90 days.
>
> Is there something else I'm missing or are we looking at a bug?

I still can't reproduce this. I tried from our 3.x branch and the 2.2 
bits on 6.3.

Can you do: ipa pwpolicy-show --user=it-rc-test-faculty

This will show the policy applied to that user.

Might also check /var/log/dirsrv/slapd-REALM/errors for anything suspicious.

rob

>
> Many thanks,
> -Brian
>
>
> On Tue, Feb 26, 2013 at 3:22 AM, Martin Kosek <mkosek at redhat.com
> <mailto:mkosek at redhat.com>> wrote:
>
>     On 02/25/2013 04:38 PM, Brian Smith wrote:
>      > It seems that regardless of the global password expiry setting,
>     that setting a
>      > password via the methods
>      >
>      > user-add
>      > passwd
>      >
>      > i will always have a password that expires in 90 days.  I
>     followed the
>      > instructions here http://freeipa.org/page/PasswordSynchronization
>      >
>      > to avoid the immediate expiry, but I need at least 180 days for my
>      > configuration to work.
>      >
>      > Any help would be appreciated!
>      >
>      > --
>      > Brian Smith
>      > Assistant Director
>      > Research Computing, University of South Florida
>      > 4202 E. Fowler Ave. SVC4010
>      > Office Phone: +1 813 974-1467 <tel:%2B1%20813%20974-1467>
>      > Organization URL: http://rc.usf.edu
>      >
>
>     Hello Brian,
>
>     Updating maximum password expiration time with "ipa pwpolicy-mod"
>     affects only
>     new passwords, i.e. password that you already changed will have the
>     old lifetime.
>
>     When I tested this on Fedora 18, password change worked for me:
>
>     # ipa pwpolicy-mod --maxlife 180
>        Group: global_policy
>        Max lifetime (days): 180
>        Min lifetime (hours): 1
>        History size: 0
>        Character classes: 0
>        Min length: 8
>        Max failures: 6
>        Failure reset interval: 60
>        Lockout duration: 600
>
>     # ipa user-add --first=Foo --last=Bar fbar
>     -----------------
>     Added user "fbar"
>     -----------------
>        User login: fbar
>        First name: Foo
>        Last name: Bar
>        Full name: Foo Bar
>        Display name: Foo Bar
>        Initials: FB
>        Home directory: /home/fbar
>        GECOS field: Foo Bar
>        Login shell: /bin/sh
>        Kerberos principal: fbar at EXAMPLE.COM <mailto:fbar at EXAMPLE.COM>
>        Email address: fbar at example.com <mailto:fbar at example.com>
>        UID: 1758200001
>        GID: 1758200001
>        Password: False
>        Member of groups: ipausers
>        Kerberos keys available: False
>     # ipa passwd fbar
>     New Password:
>     Enter New Password again to verify:
>     ---------------------------------------
>     Changed password for "fbar at EXAMPLE.COM <mailto:fbar at EXAMPLE.COM>"
>     ---------------------------------------
>
>     $ ssh fbar at ipa.client.fqdn
>     fbar at ipa.client.fqdn's password:
>     Password expired. Change your password now.
>     Last login: Tue Feb 26 09:16:39 2013 from 10.0.0.1
>     WARNING: Your password has expired.
>     You must change your password now and login again!
>     Changing password for user fbar.
>     Current Password:
>     New password:
>     Retype new password:
>     Your password will expire in 180 day(s).    <<<<<<<<<<<<<<<
>     passwd: all authentication tokens updated successfully.
>     Connection to ipa.client.fqdn closed.
>
>     Does this usecase work for you or are you hitting a bug?
>
>
>     As for the warning about expiring password, this is a bug in sssd
>     component
>     which was already fixed upstream:
>
>     https://fedorahosted.org/sssd/ticket/1808
>
>     Martin
>
>
>
>
> --
> Brian Smith
> Assistant Director
> Research Computing, University of South Florida
> 4202 E. Fowler Ave. SVC4010
> Office Phone: +1 813 974-1467
> Organization URL: http://rc.usf.edu
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>

More information about the Freeipa-users mailing list