[Freeipa-users] Password expiry when account provisioned/updated via JSON RPC
Rob Crittenden
rcritten at redhat.com
Mon Mar 4 19:40:53 UTC 2013
Brian Smith wrote:
> Thanks for your response, and sorry for my late response. I'm on RHEL6,
> using the packages from the distribution
> repository, ipa-server-2.2.0-17.el6_3.1.x86_64
>
> My pwpolicy is set as such (in testing):
>
> $ ipa pwpolicy-show --all
> dn: cn=global_policy,cn=rc.usf.edu
> <http://rc.usf.edu>,cn=kerberos,dc=rc,dc=usf,dc=edu
> Group: global_policy
> Max lifetime (days): 365
> Min lifetime (hours): 1
> History size: 0
> Character classes: 0
> Min length: 8
> Max failures: 10
> Failure reset interval: 60
> Lockout duration: 600
> objectclass: top, nsContainer, krbPwdPolicy
>
>
> If I create an account and set the password using the following JSON
> string, against $server/ipa/json, say today,
>
> {
> "method":"user_add",
> "params":[ [],
> {
> "uid":"it-rc-test-faculty",
> "homedirectory":"/home/i/it-rc-test-faculty",
> "userpassword":"MyPasswordInTheClear",
> "givenname":"RC TEST - Faculty",
> "sn":"Service_Account"
> }]
> }
>
> I get a password expiry time like so:
>
> $ ipa user-show --all it-rc-test-faculty | grep krbpasswordexpiration
> krbpasswordexpiration: 20130602163523Z
>
> That's clearly not one year into the future, but more like 90 days.
>
> Is there something else I'm missing or are we looking at a bug?
I still can't reproduce this. I tried from our 3.x branch and the 2.2
bits on 6.3.
Can you do: ipa pwpolicy-show --user=it-rc-test-faculty
This will show the policy applied to that user.
Might also check /var/log/dirsrv/slapd-REALM/errors for anything suspicious.
rob
>
> Many thanks,
> -Brian
>
>
> On Tue, Feb 26, 2013 at 3:22 AM, Martin Kosek <mkosek at redhat.com
> <mailto:mkosek at redhat.com>> wrote:
>
> On 02/25/2013 04:38 PM, Brian Smith wrote:
> > It seems that regardless of the global password expiry setting,
> that setting a
> > password via the methods
> >
> > user-add
> > passwd
> >
> > i will always have a password that expires in 90 days. I
> followed the
> > instructions here http://freeipa.org/page/PasswordSynchronization
> >
> > to avoid the immediate expiry, but I need at least 180 days for my
> > configuration to work.
> >
> > Any help would be appreciated!
> >
> > --
> > Brian Smith
> > Assistant Director
> > Research Computing, University of South Florida
> > 4202 E. Fowler Ave. SVC4010
> > Office Phone: +1 813 974-1467 <tel:%2B1%20813%20974-1467>
> > Organization URL: http://rc.usf.edu
> >
>
> Hello Brian,
>
> Updating maximum password expiration time with "ipa pwpolicy-mod"
> affects only
> new passwords, i.e. password that you already changed will have the
> old lifetime.
>
> When I tested this on Fedora 18, password change worked for me:
>
> # ipa pwpolicy-mod --maxlife 180
> Group: global_policy
> Max lifetime (days): 180
> Min lifetime (hours): 1
> History size: 0
> Character classes: 0
> Min length: 8
> Max failures: 6
> Failure reset interval: 60
> Lockout duration: 600
>
> # ipa user-add --first=Foo --last=Bar fbar
> -----------------
> Added user "fbar"
> -----------------
> User login: fbar
> First name: Foo
> Last name: Bar
> Full name: Foo Bar
> Display name: Foo Bar
> Initials: FB
> Home directory: /home/fbar
> GECOS field: Foo Bar
> Login shell: /bin/sh
> Kerberos principal: fbar at EXAMPLE.COM <mailto:fbar at EXAMPLE.COM>
> Email address: fbar at example.com <mailto:fbar at example.com>
> UID: 1758200001
> GID: 1758200001
> Password: False
> Member of groups: ipausers
> Kerberos keys available: False
> # ipa passwd fbar
> New Password:
> Enter New Password again to verify:
> ---------------------------------------
> Changed password for "fbar at EXAMPLE.COM <mailto:fbar at EXAMPLE.COM>"
> ---------------------------------------
>
> $ ssh fbar at ipa.client.fqdn
> fbar at ipa.client.fqdn's password:
> Password expired. Change your password now.
> Last login: Tue Feb 26 09:16:39 2013 from 10.0.0.1
> WARNING: Your password has expired.
> You must change your password now and login again!
> Changing password for user fbar.
> Current Password:
> New password:
> Retype new password:
> Your password will expire in 180 day(s). <<<<<<<<<<<<<<<
> passwd: all authentication tokens updated successfully.
> Connection to ipa.client.fqdn closed.
>
> Does this usecase work for you or are you hitting a bug?
>
>
> As for the warning about expiring password, this is a bug in sssd
> component
> which was already fixed upstream:
>
> https://fedorahosted.org/sssd/ticket/1808
>
> Martin
>
>
>
>
> --
> Brian Smith
> Assistant Director
> Research Computing, University of South Florida
> 4202 E. Fowler Ave. SVC4010
> Office Phone: +1 813 974-1467
> Organization URL: http://rc.usf.edu
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
More information about the Freeipa-users
mailing list