[Freeipa-users] Service Accounts - non expiry of passwords

[Les Stott]

Hi,

I've seen a few references to this when searching the lists and mention of enhancements to later versions of freeipa to allow setting certain users to have passwords that don't expire.

I'm on rhel6, which has an older freeipa, and I cant see it being updated anytime soon. So I thought I'd share what I did to work around this.

Scenario: setup a user account with a password that doesn't expire. Example: an account with credentials to bind to ldap to do searches.

Created a user "ldapbind" in freeipa.
Created a user group in freeipa: service_accounts
Added ldapbind as a member of service_accounts
Created a new password policy in freeipa: service_accounts
Replicated the same settings in the service_accounts password policy as per the default global_policy with the exception of "Max Lifetime", which, instead of 90 days, I set to 7300 days.
The service_accounts policy was created with priority 0 (same as global_policy). All users who don't belong to the service_accounts group will get the standard 90 day expiry from the global_policy. Users who do belong to the service_accounts group get the service_accounts password policy.

This seems to be a valid workaround for me. Hope it helps others.

Regards,

Les

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140106/32698757/attachment.htm>