[Freeipa-users] Change default password expiry date
Martin Kosek
mkosek at redhat.com
Wed Dec 10 09:21:59 UTC 2014
On 12/10/2014 03:36 AM, Dmitri Pal wrote:
> On 12/09/2014 08:43 PM, Thomas Lau wrote:
>> Hi All,
>>
>> FreeIPA Default is using 60days password expiry, how could I change it?
>
> You go to password policies and change the global password policy.
> You change MAX lifetime.
> This is a global setting it will apply to new passwords/keytabs when they are
> changed next time.
> You can create other policies and apply them to groups it you need.
Right. BTW, the default is 90 days, not sixty:
# ipa pwpolicy-show
Group: global_policy
Max lifetime (days): 90
Min lifetime (hours): 1
History size: 0
Character classes: 0
Min length: 8
Max failures: 6
Failure reset interval: 60
Lockout duration: 600
>
>>
>> Also, for existing accounts, can I just change krbPasswordExpiration
>> on LDAP?
>
> I think the answer is yes.
You will need to be Directory Manager for such change. Normally, it is excepted
that the new password policy is applied on next user password change.
>
>> anywhere else I need to change?
>
> I think the answer is no
Right.
>
>> do I need to generate keytab
>> on Kerberos to activate new expiry date?
>>
> If you change the expiration in the attribute then no.
>
More on password policies here:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/user-pwdpolicy.html
More information about the Freeipa-users
mailing list