[Freeipa-users] Password expiry when account provisioned/updated via JSON RPC
Dmitri Pal
dpal at redhat.com
Wed Mar 6 13:40:30 UTC 2013
On 03/05/2013 10:28 PM, Brian Smith wrote:
> I set the policy to 1 year and recreated the account.
>
> $ ipa pwpolicy-show --user=it-rc-test-faculty
> Group: global_policy
> Max lifetime (days): 365
> Min lifetime (hours): 1
> History size: 0
> Character classes: 0
> Min length: 8
> Max failures: 10
> Failure reset interval: 60
> Lockout duration: 600
>
> Looks like a bug was filed for this about 9 months
> ago: https://fedorahosted.org/freeipa/ticket/2795
>
> I can also confirm the same behavior when the policy is set to 0 days,
> less than 90 days, or if I create a separate password policy for users
> in the ipausers group. The result is always 90 days.
>
> If the user updates the password themselves (after initial login) then
> the password policy works and sets the expiry accordingly.
>
> The user that is adding the users with userpasswd set appears in the
> passsyncmanagersdns list:
>
> passsyncmanagersdns:
> uid=rc-user-svcacct,cn=users,cn=accounts,dc=rc,dc=usf,dc=edu
>
Can you work around this issue?
While it was filed 9 months ago it was found to not be that critical so
we deferred it till later time.
Patches are always welcome too :-)
>
> On Mon, Mar 4, 2013 at 2:40 PM, Rob Crittenden <rcritten at redhat.com
> <mailto:rcritten at redhat.com>> wrote:
>
> Brian Smith wrote:
>
> Thanks for your response, and sorry for my late response. I'm
> on RHEL6,
> using the packages from the distribution
> repository, ipa-server-2.2.0-17.el6_3.1.x86_64
>
> My pwpolicy is set as such (in testing):
>
> $ ipa pwpolicy-show --all
> dn: cn=global_policy,cn=rc.usf.edu <http://rc.usf.edu>
> <http://rc.usf.edu>,cn=kerberos,dc=rc,dc=usf,dc=edu
>
> Group: global_policy
> Max lifetime (days): 365
> Min lifetime (hours): 1
> History size: 0
> Character classes: 0
> Min length: 8
> Max failures: 10
> Failure reset interval: 60
> Lockout duration: 600
> objectclass: top, nsContainer, krbPwdPolicy
>
>
> If I create an account and set the password using the
> following JSON
> string, against $server/ipa/json, say today,
>
> {
> "method":"user_add",
> "params":[ [],
> {
> "uid":"it-rc-test-faculty",
> "homedirectory":"/home/i/it-rc-test-faculty",
> "userpassword":"MyPasswordInTheClear",
> "givenname":"RC TEST - Faculty",
> "sn":"Service_Account"
> }]
> }
>
> I get a password expiry time like so:
>
> $ ipa user-show --all it-rc-test-faculty | grep
> krbpasswordexpiration
> krbpasswordexpiration: 20130602163523Z
>
> That's clearly not one year into the future, but more like 90
> days.
>
> Is there something else I'm missing or are we looking at a bug?
>
>
> I still can't reproduce this. I tried from our 3.x branch and the
> 2.2 bits on 6.3.
>
> Can you do: ipa pwpolicy-show --user=it-rc-test-faculty
>
> This will show the policy applied to that user.
>
> Might also check /var/log/dirsrv/slapd-REALM/errors for anything
> suspicious.
>
> rob
>
>
> Many thanks,
> -Brian
>
>
> On Tue, Feb 26, 2013 at 3:22 AM, Martin Kosek
> <mkosek at redhat.com <mailto:mkosek at redhat.com>
> <mailto:mkosek at redhat.com <mailto:mkosek at redhat.com>>> wrote:
>
> On 02/25/2013 04:38 PM, Brian Smith wrote:
> > It seems that regardless of the global password expiry
> setting,
> that setting a
> > password via the methods
> >
> > user-add
> > passwd
> >
> > i will always have a password that expires in 90 days. I
> followed the
> > instructions here
> http://freeipa.org/page/PasswordSynchronization
> >
> > to avoid the immediate expiry, but I need at least 180
> days for my
> > configuration to work.
> >
> > Any help would be appreciated!
> >
> > --
> > Brian Smith
> > Assistant Director
> > Research Computing, University of South Florida
> > 4202 E. Fowler Ave. SVC4010
> > Office Phone: +1 813 974-1467
> <tel:%2B1%20813%20974-1467> <tel:%2B1%20813%20974-1467>
>
> > Organization URL: http://rc.usf.edu
> >
>
> Hello Brian,
>
> Updating maximum password expiration time with "ipa
> pwpolicy-mod"
> affects only
> new passwords, i.e. password that you already changed will
> have the
> old lifetime.
>
> When I tested this on Fedora 18, password change worked
> for me:
>
> # ipa pwpolicy-mod --maxlife 180
> Group: global_policy
> Max lifetime (days): 180
> Min lifetime (hours): 1
> History size: 0
> Character classes: 0
> Min length: 8
> Max failures: 6
> Failure reset interval: 60
> Lockout duration: 600
>
> # ipa user-add --first=Foo --last=Bar fbar
> -----------------
> Added user "fbar"
> -----------------
> User login: fbar
> First name: Foo
> Last name: Bar
> Full name: Foo Bar
> Display name: Foo Bar
> Initials: FB
> Home directory: /home/fbar
> GECOS field: Foo Bar
> Login shell: /bin/sh
> Kerberos principal: fbar at EXAMPLE.COM
> <mailto:fbar at EXAMPLE.COM> <mailto:fbar at EXAMPLE.COM
> <mailto:fbar at EXAMPLE.COM>>
> Email address: fbar at example.com
> <mailto:fbar at example.com> <mailto:fbar at example.com
> <mailto:fbar at example.com>>
>
> UID: 1758200001
> GID: 1758200001
> Password: False
> Member of groups: ipausers
> Kerberos keys available: False
> # ipa passwd fbar
> New Password:
> Enter New Password again to verify:
> ---------------------------------------
> Changed password for "fbar at EXAMPLE.COM
> <mailto:fbar at EXAMPLE.COM> <mailto:fbar at EXAMPLE.COM
> <mailto:fbar at EXAMPLE.COM>>"
>
> ---------------------------------------
>
> $ ssh fbar at ipa.client.fqdn
> fbar at ipa.client.fqdn's password:
> Password expired. Change your password now.
> Last login: Tue Feb 26 09:16:39 2013 from 10.0.0.1
> WARNING: Your password has expired.
> You must change your password now and login again!
> Changing password for user fbar.
> Current Password:
> New password:
> Retype new password:
> Your password will expire in 180 day(s). <<<<<<<<<<<<<<<
> passwd: all authentication tokens updated successfully.
> Connection to ipa.client.fqdn closed.
>
> Does this usecase work for you or are you hitting a bug?
>
>
> As for the warning about expiring password, this is a bug
> in sssd
> component
> which was already fixed upstream:
>
> https://fedorahosted.org/sssd/ticket/1808
>
> Martin
>
>
>
>
> --
> Brian Smith
> Assistant Director
> Research Computing, University of South Florida
> 4202 E. Fowler Ave. SVC4010
> Office Phone: +1 813 974-1467 <tel:%2B1%20813%20974-1467>
> Organization URL: http://rc.usf.edu
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
>
>
> --
> Brian Smith
> Assistant Director
> Research Computing, University of South Florida
> 4202 E. Fowler Ave. SVC4010
> Office Phone: +1 813 974-1467
> Organization URL: http://rc.usf.edu
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130306/9d176be9/attachment.htm>
More information about the Freeipa-users
mailing list