[Freeipa-users] Can't change password of FreeIPA admin - “Current password's minimum life has not expired”

Dmitri Pal dpal at redhat.com
Fri Jul 11 20:19:49 UTC 2014 

On 06/30/2014 09:03 AM, Rob Crittenden wrote:
> Alex Chistyakov wrote:
>> Hello,
>>
>> We have a FreeIPA-based system, admin's password has expired and needs to be changed but the standard password changing procedure over SSH fails:
>>
>>    sashka at cellar ~ ssh admin at ipa.xxxxxxxxxx.com
>>    admin at ipa.goodwix.com's password:
>>    Password expired. Change your password now.
>>    Last failed login: Mon Jun 30 15:38:21 MSK 2014 from 116.10.191.195 on ssh:notty
>>    There were 6071 failed login attempts since the last successful login.
>>    Last login: Wed Apr 16 19:28:54 2014
>>    WARNING: Your password has expired.
>>    You must change your password now and login again!
>>    Changing password for user admin.
>>    Current Password:
>>    New password:
>>    Retype new password:
>>    Password change failed. Server message: Current password's minimum life has not expired
>>
>>    Password not changed.
>>    passwd: Authentication token manipulation error
>>    Connection to ipa.xxxxxxxxxx.com closed.
>>
>> If we try to change the password using passwd it fails too with the same error message:
>>
>>    [admin at ipa ~]$ passwd
>>    Changing password for user admin.
>>    Current Password:
>>    New password:
>>    Retype new password:
>>    Password change failed. Server message: Current password's minimum life has not expired
>>
>>    Password not changed.
>>    passwd: Authentication token manipulation error
>>    [admin at ipa ~]$
>>
>> What should we do to resolve this situation?
> I'd eventually look at your password policy to see what the min/max
> values are.
>
> To force a password change and avoid password policy you need to bind as
> the Directory Manager. Using ldappasswd will help with that:
>
> $ ldappasswd  -x -D 'cn=Directory Manager' -W
> uid=admin,cn=users,cn=accounts,dc=example,dc=com -A -S
> Old password:
> Re-enter old password:
> New password:
> Re-enter new password:
> Enter LDAP Password:
>
> I'd run this on the IPA master for easeo-of-use. It should havea
> pre-configured ldap.conf which sets the host and enables TLS. Otherwise
> you'll need to add a -h <host> and -Z to the command.
>
> rob
>
Alex,

Is there anything we can learn from this?
Was it a misconfiguration or something else?
Could we have done something better to avoid situations like this?

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

More information about the Freeipa-users mailing list