[Freeipa-users] Password expiry when account provisioned/updated via JSON RPC
Brian Smith
brs at usf.edu
Wed Mar 6 20:27:39 UTC 2013
I'm going to dig into it further, hopefully produce a patch in the next few
days. My work-around for right now is ldapmodifying
the krbPasswordExpiration attribute on the account after creation and
subsequent password updates.
On Wed, Mar 6, 2013 at 8:40 AM, Dmitri Pal <dpal at redhat.com> wrote:
> On 03/05/2013 10:28 PM, Brian Smith wrote:
>
> I set the policy to 1 year and recreated the account.
>
> $ ipa pwpolicy-show --user=it-rc-test-faculty
> Group: global_policy
> Max lifetime (days): 365
> Min lifetime (hours): 1
> History size: 0
> Character classes: 0
> Min length: 8
> Max failures: 10
> Failure reset interval: 60
> Lockout duration: 600
>
> Looks like a bug was filed for this about 9 months ago:
> https://fedorahosted.org/freeipa/ticket/2795
>
> I can also confirm the same behavior when the policy is set to 0 days,
> less than 90 days, or if I create a separate password policy for users in
> the ipausers group. The result is always 90 days.
>
> If the user updates the password themselves (after initial login) then
> the password policy works and sets the expiry accordingly.
>
> The user that is adding the users with userpasswd set appears in the
> passsyncmanagersdns list:
>
> passsyncmanagersdns:
> uid=rc-user-svcacct,cn=users,cn=accounts,dc=rc,dc=usf,dc=edu
>
>
> Can you work around this issue?
> While it was filed 9 months ago it was found to not be that critical so we
> deferred it till later time.
> Patches are always welcome too :-)
>
>
>
>
> On Mon, Mar 4, 2013 at 2:40 PM, Rob Crittenden <rcritten at redhat.com>wrote:
>
>> Brian Smith wrote:
>>
>>> Thanks for your response, and sorry for my late response. I'm on RHEL6,
>>> using the packages from the distribution
>>> repository, ipa-server-2.2.0-17.el6_3.1.x86_64
>>>
>>> My pwpolicy is set as such (in testing):
>>>
>>> $ ipa pwpolicy-show --all
>>> dn: cn=global_policy,cn=rc.usf.edu
>>> <http://rc.usf.edu>,cn=kerberos,dc=rc,dc=usf,dc=edu
>>>
>>> Group: global_policy
>>> Max lifetime (days): 365
>>> Min lifetime (hours): 1
>>> History size: 0
>>> Character classes: 0
>>> Min length: 8
>>> Max failures: 10
>>> Failure reset interval: 60
>>> Lockout duration: 600
>>> objectclass: top, nsContainer, krbPwdPolicy
>>>
>>>
>>> If I create an account and set the password using the following JSON
>>> string, against $server/ipa/json, say today,
>>>
>>> {
>>> "method":"user_add",
>>> "params":[ [],
>>> {
>>> "uid":"it-rc-test-faculty",
>>> "homedirectory":"/home/i/it-rc-test-faculty",
>>> "userpassword":"MyPasswordInTheClear",
>>> "givenname":"RC TEST - Faculty",
>>> "sn":"Service_Account"
>>> }]
>>> }
>>>
>>> I get a password expiry time like so:
>>>
>>> $ ipa user-show --all it-rc-test-faculty | grep krbpasswordexpiration
>>> krbpasswordexpiration: 20130602163523Z
>>>
>>> That's clearly not one year into the future, but more like 90 days.
>>>
>>> Is there something else I'm missing or are we looking at a bug?
>>>
>>
>> I still can't reproduce this. I tried from our 3.x branch and the 2.2
>> bits on 6.3.
>>
>> Can you do: ipa pwpolicy-show --user=it-rc-test-faculty
>>
>> This will show the policy applied to that user.
>>
>> Might also check /var/log/dirsrv/slapd-REALM/errors for anything
>> suspicious.
>>
>> rob
>>
>>
>>> Many thanks,
>>> -Brian
>>>
>>>
>>> On Tue, Feb 26, 2013 at 3:22 AM, Martin Kosek <mkosek at redhat.com
>>> <mailto:mkosek at redhat.com>> wrote:
>>>
>>> On 02/25/2013 04:38 PM, Brian Smith wrote:
>>> > It seems that regardless of the global password expiry setting,
>>> that setting a
>>> > password via the methods
>>> >
>>> > user-add
>>> > passwd
>>> >
>>> > i will always have a password that expires in 90 days. I
>>> followed the
>>> > instructions here http://freeipa.org/page/PasswordSynchronization
>>> >
>>> > to avoid the immediate expiry, but I need at least 180 days for my
>>> > configuration to work.
>>> >
>>> > Any help would be appreciated!
>>> >
>>> > --
>>> > Brian Smith
>>> > Assistant Director
>>> > Research Computing, University of South Florida
>>> > 4202 E. Fowler Ave. SVC4010
>>> > Office Phone: +1 813 974-1467 <tel:%2B1%20813%20974-1467>
>>>
>>> > Organization URL: http://rc.usf.edu
>>> >
>>>
>>> Hello Brian,
>>>
>>> Updating maximum password expiration time with "ipa pwpolicy-mod"
>>> affects only
>>> new passwords, i.e. password that you already changed will have the
>>> old lifetime.
>>>
>>> When I tested this on Fedora 18, password change worked for me:
>>>
>>> # ipa pwpolicy-mod --maxlife 180
>>> Group: global_policy
>>> Max lifetime (days): 180
>>> Min lifetime (hours): 1
>>> History size: 0
>>> Character classes: 0
>>> Min length: 8
>>> Max failures: 6
>>> Failure reset interval: 60
>>> Lockout duration: 600
>>>
>>> # ipa user-add --first=Foo --last=Bar fbar
>>> -----------------
>>> Added user "fbar"
>>> -----------------
>>> User login: fbar
>>> First name: Foo
>>> Last name: Bar
>>> Full name: Foo Bar
>>> Display name: Foo Bar
>>> Initials: FB
>>> Home directory: /home/fbar
>>> GECOS field: Foo Bar
>>> Login shell: /bin/sh
>>> Kerberos principal: fbar at EXAMPLE.COM <mailto:fbar at EXAMPLE.COM>
>>> Email address: fbar at example.com <mailto:fbar at example.com>
>>>
>>> UID: 1758200001
>>> GID: 1758200001
>>> Password: False
>>> Member of groups: ipausers
>>> Kerberos keys available: False
>>> # ipa passwd fbar
>>> New Password:
>>> Enter New Password again to verify:
>>> ---------------------------------------
>>> Changed password for "fbar at EXAMPLE.COM <mailto:fbar at EXAMPLE.COM>"
>>>
>>> ---------------------------------------
>>>
>>> $ ssh fbar at ipa.client.fqdn
>>> fbar at ipa.client.fqdn's password:
>>> Password expired. Change your password now.
>>> Last login: Tue Feb 26 09:16:39 2013 from 10.0.0.1
>>> WARNING: Your password has expired.
>>> You must change your password now and login again!
>>> Changing password for user fbar.
>>> Current Password:
>>> New password:
>>> Retype new password:
>>> Your password will expire in 180 day(s). <<<<<<<<<<<<<<<
>>> passwd: all authentication tokens updated successfully.
>>> Connection to ipa.client.fqdn closed.
>>>
>>> Does this usecase work for you or are you hitting a bug?
>>>
>>>
>>> As for the warning about expiring password, this is a bug in sssd
>>> component
>>> which was already fixed upstream:
>>>
>>> https://fedorahosted.org/sssd/ticket/1808
>>>
>>> Martin
>>>
>>>
>>>
>>>
>>> --
>>> Brian Smith
>>> Assistant Director
>>> Research Computing, University of South Florida
>>> 4202 E. Fowler Ave. SVC4010
>>> Office Phone: +1 813 974-1467
>>> Organization URL: http://rc.usf.edu
>>>
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>>
>>
>
>
> --
> Brian Smith
> Assistant Director
> Research Computing, University of South Florida
> 4202 E. Fowler Ave. SVC4010
> Office Phone: +1 813 974-1467
> Organization URL: http://rc.usf.edu
>
>
> _______________________________________________
> Freeipa-users mailing listFreeipa-users at redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager for IdM portfolio
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?www.redhat.com/carveoutcosts/
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
--
Brian Smith
Assistant Director
Research Computing, University of South Florida
4202 E. Fowler Ave. SVC4010
Office Phone: +1 813 974-1467
Organization URL: http://rc.usf.edu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130306/2d8c4079/attachment.htm>
More information about the Freeipa-users
mailing list