[Freeipa-users] Password expiry when account provisioned/updated via JSON RPC

Brian Smith brs at usf.edu
Wed Mar 6 03:28:51 UTC 2013 

I set the policy to 1 year and recreated the account.

$ ipa pwpolicy-show --user=it-rc-test-faculty
  Group: global_policy
  Max lifetime (days): 365
  Min lifetime (hours): 1
  History size: 0
  Character classes: 0
  Min length: 8
  Max failures: 10
  Failure reset interval: 60
  Lockout duration: 600

Looks like a bug was filed for this about 9 months ago:
https://fedorahosted.org/freeipa/ticket/2795

I can also confirm the same behavior when the policy is set to 0 days, less
than 90 days, or if I create a separate password policy for users in the
ipausers group.  The result is always 90 days.

If the user updates the password themselves (after initial login) then the
password policy works and sets the expiry accordingly.

The user that is adding the users with userpasswd set appears in the
passsyncmanagersdns list:

passsyncmanagersdns:
uid=rc-user-svcacct,cn=users,cn=accounts,dc=rc,dc=usf,dc=edu


On Mon, Mar 4, 2013 at 2:40 PM, Rob Crittenden <rcritten at redhat.com> wrote:

> Brian Smith wrote:
>
>> Thanks for your response, and sorry for my late response.  I'm on RHEL6,
>> using the packages from the distribution
>> repository, ipa-server-2.2.0-17.el6_3.1.**x86_64
>>
>> My pwpolicy is set as such (in testing):
>>
>> $ ipa pwpolicy-show --all
>>    dn: cn=global_policy,cn=rc.usf.edu
>> <http://rc.usf.edu>,cn=**kerberos,dc=rc,dc=usf,dc=edu
>>
>>    Group: global_policy
>>    Max lifetime (days): 365
>>    Min lifetime (hours): 1
>>    History size: 0
>>    Character classes: 0
>>    Min length: 8
>>    Max failures: 10
>>    Failure reset interval: 60
>>    Lockout duration: 600
>>    objectclass: top, nsContainer, krbPwdPolicy
>>
>>
>> If I create an account and set the password using the following JSON
>> string, against $server/ipa/json, say today,
>>
>> {
>>   "method":"user_add",
>>   "params":[ [],
>>     {
>>       "uid":"it-rc-test-faculty",
>>       "homedirectory":"/home/i/it-**rc-test-faculty",
>>       "userpassword":"**MyPasswordInTheClear",
>>       "givenname":"RC TEST - Faculty",
>>       "sn":"Service_Account"
>>     }]
>> }
>>
>> I get a password expiry time like so:
>>
>> $ ipa user-show --all it-rc-test-faculty | grep krbpasswordexpiration
>> krbpasswordexpiration: 20130602163523Z
>>
>> That's clearly not one year into the future, but more like 90 days.
>>
>> Is there something else I'm missing or are we looking at a bug?
>>
>
> I still can't reproduce this. I tried from our 3.x branch and the 2.2 bits
> on 6.3.
>
> Can you do: ipa pwpolicy-show --user=it-rc-test-faculty
>
> This will show the policy applied to that user.
>
> Might also check /var/log/dirsrv/slapd-REALM/**errors for anything
> suspicious.
>
> rob
>
>
>> Many thanks,
>> -Brian
>>
>>
>> On Tue, Feb 26, 2013 at 3:22 AM, Martin Kosek <mkosek at redhat.com
>> <mailto:mkosek at redhat.com>> wrote:
>>
>>     On 02/25/2013 04:38 PM, Brian Smith wrote:
>>      > It seems that regardless of the global password expiry setting,
>>     that setting a
>>      > password via the methods
>>      >
>>      > user-add
>>      > passwd
>>      >
>>      > i will always have a password that expires in 90 days.  I
>>     followed the
>>      > instructions here http://freeipa.org/page/**
>> PasswordSynchronization <http://freeipa.org/page/PasswordSynchronization>
>>      >
>>      > to avoid the immediate expiry, but I need at least 180 days for my
>>      > configuration to work.
>>      >
>>      > Any help would be appreciated!
>>      >
>>      > --
>>      > Brian Smith
>>      > Assistant Director
>>      > Research Computing, University of South Florida
>>      > 4202 E. Fowler Ave. SVC4010
>>      > Office Phone: +1 813 974-1467 <tel:%2B1%20813%20974-1467>
>>
>>      > Organization URL: http://rc.usf.edu
>>      >
>>
>>     Hello Brian,
>>
>>     Updating maximum password expiration time with "ipa pwpolicy-mod"
>>     affects only
>>     new passwords, i.e. password that you already changed will have the
>>     old lifetime.
>>
>>     When I tested this on Fedora 18, password change worked for me:
>>
>>     # ipa pwpolicy-mod --maxlife 180
>>        Group: global_policy
>>        Max lifetime (days): 180
>>        Min lifetime (hours): 1
>>        History size: 0
>>        Character classes: 0
>>        Min length: 8
>>        Max failures: 6
>>        Failure reset interval: 60
>>        Lockout duration: 600
>>
>>     # ipa user-add --first=Foo --last=Bar fbar
>>     -----------------
>>     Added user "fbar"
>>     -----------------
>>        User login: fbar
>>        First name: Foo
>>        Last name: Bar
>>        Full name: Foo Bar
>>        Display name: Foo Bar
>>        Initials: FB
>>        Home directory: /home/fbar
>>        GECOS field: Foo Bar
>>        Login shell: /bin/sh
>>        Kerberos principal: fbar at EXAMPLE.COM <mailto:fbar at EXAMPLE.COM>
>>        Email address: fbar at example.com <mailto:fbar at example.com>
>>
>>        UID: 1758200001
>>        GID: 1758200001
>>        Password: False
>>        Member of groups: ipausers
>>        Kerberos keys available: False
>>     # ipa passwd fbar
>>     New Password:
>>     Enter New Password again to verify:
>>     ------------------------------**---------
>>     Changed password for "fbar at EXAMPLE.COM <mailto:fbar at EXAMPLE.COM>"
>>
>>     ------------------------------**---------
>>
>>     $ ssh fbar at ipa.client.fqdn
>>     fbar at ipa.client.fqdn's password:
>>     Password expired. Change your password now.
>>     Last login: Tue Feb 26 09:16:39 2013 from 10.0.0.1
>>     WARNING: Your password has expired.
>>     You must change your password now and login again!
>>     Changing password for user fbar.
>>     Current Password:
>>     New password:
>>     Retype new password:
>>     Your password will expire in 180 day(s).    <<<<<<<<<<<<<<<
>>     passwd: all authentication tokens updated successfully.
>>     Connection to ipa.client.fqdn closed.
>>
>>     Does this usecase work for you or are you hitting a bug?
>>
>>
>>     As for the warning about expiring password, this is a bug in sssd
>>     component
>>     which was already fixed upstream:
>>
>>     https://fedorahosted.org/sssd/**ticket/1808<https://fedorahosted.org/sssd/ticket/1808>
>>
>>     Martin
>>
>>
>>
>>
>> --
>> Brian Smith
>> Assistant Director
>> Research Computing, University of South Florida
>> 4202 E. Fowler Ave. SVC4010
>> Office Phone: +1 813 974-1467
>> Organization URL: http://rc.usf.edu
>>
>>
>> ______________________________**_________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/**mailman/listinfo/freeipa-users<https://www.redhat.com/mailman/listinfo/freeipa-users>
>>
>>
>


-- 
Brian Smith
Assistant Director
Research Computing, University of South Florida
4202 E. Fowler Ave. SVC4010
Office Phone: +1 813 974-1467
Organization URL: http://rc.usf.edu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130305/03d44a7f/attachment.htm>

More information about the Freeipa-users mailing list