[Freeipa-users] Can't change password of FreeIPA admin - “Current password's minimum life has not expired”
Dmitri Pal
dpal at redhat.com
Fri Jul 11 20:19:49 UTC 2014
On 06/30/2014 09:03 AM, Rob Crittenden wrote:
> Alex Chistyakov wrote:
>> Hello,
>>
>> We have a FreeIPA-based system, admin's password has expired and needs to be changed but the standard password changing procedure over SSH fails:
>>
>> sashka at cellar ~ ssh admin at ipa.xxxxxxxxxx.com
>> admin at ipa.goodwix.com's password:
>> Password expired. Change your password now.
>> Last failed login: Mon Jun 30 15:38:21 MSK 2014 from 116.10.191.195 on ssh:notty
>> There were 6071 failed login attempts since the last successful login.
>> Last login: Wed Apr 16 19:28:54 2014
>> WARNING: Your password has expired.
>> You must change your password now and login again!
>> Changing password for user admin.
>> Current Password:
>> New password:
>> Retype new password:
>> Password change failed. Server message: Current password's minimum life has not expired
>>
>> Password not changed.
>> passwd: Authentication token manipulation error
>> Connection to ipa.xxxxxxxxxx.com closed.
>>
>> If we try to change the password using passwd it fails too with the same error message:
>>
>> [admin at ipa ~]$ passwd
>> Changing password for user admin.
>> Current Password:
>> New password:
>> Retype new password:
>> Password change failed. Server message: Current password's minimum life has not expired
>>
>> Password not changed.
>> passwd: Authentication token manipulation error
>> [admin at ipa ~]$
>>
>> What should we do to resolve this situation?
> I'd eventually look at your password policy to see what the min/max
> values are.
>
> To force a password change and avoid password policy you need to bind as
> the Directory Manager. Using ldappasswd will help with that:
>
> $ ldappasswd -x -D 'cn=Directory Manager' -W
> uid=admin,cn=users,cn=accounts,dc=example,dc=com -A -S
> Old password:
> Re-enter old password:
> New password:
> Re-enter new password:
> Enter LDAP Password:
>
> I'd run this on the IPA master for easeo-of-use. It should havea
> pre-configured ldap.conf which sets the host and enables TLS. Otherwise
> you'll need to add a -h <host> and -Z to the command.
>
> rob
>
Alex,
Is there anything we can learn from this?
Was it a misconfiguration or something else?
Could we have done something better to avoid situations like this?
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
More information about the Freeipa-users
mailing list