[Freeipa-users] Can't change password of FreeIPA admin - “Current password's minimum life has not expired”

Rob Crittenden rcritten at redhat.com
Mon Jun 30 13:03:46 UTC 2014 

Alex Chistyakov wrote:
> Hello,
> 
> We have a FreeIPA-based system, admin's password has expired and needs to be changed but the standard password changing procedure over SSH fails:
> 
>   sashka at cellar ~ ssh admin at ipa.xxxxxxxxxx.com
>   admin at ipa.goodwix.com's password: 
>   Password expired. Change your password now.
>   Last failed login: Mon Jun 30 15:38:21 MSK 2014 from 116.10.191.195 on ssh:notty
>   There were 6071 failed login attempts since the last successful login.
>   Last login: Wed Apr 16 19:28:54 2014
>   WARNING: Your password has expired.
>   You must change your password now and login again!
>   Changing password for user admin.
>   Current Password: 
>   New password: 
>   Retype new password: 
>   Password change failed. Server message: Current password's minimum life has not expired
> 
>   Password not changed.
>   passwd: Authentication token manipulation error
>   Connection to ipa.xxxxxxxxxx.com closed.
> 
> If we try to change the password using passwd it fails too with the same error message:
> 
>   [admin at ipa ~]$ passwd
>   Changing password for user admin.
>   Current Password: 
>   New password: 
>   Retype new password: 
>   Password change failed. Server message: Current password's minimum life has not expired
> 
>   Password not changed.
>   passwd: Authentication token manipulation error
>   [admin at ipa ~]$
> 
> What should we do to resolve this situation?

I'd eventually look at your password policy to see what the min/max
values are.

To force a password change and avoid password policy you need to bind as
the Directory Manager. Using ldappasswd will help with that:

$ ldappasswd  -x -D 'cn=Directory Manager' -W
uid=admin,cn=users,cn=accounts,dc=example,dc=com -A -S
Old password:
Re-enter old password:
New password:
Re-enter new password:
Enter LDAP Password:

I'd run this on the IPA master for easeo-of-use. It should havea
pre-configured ldap.conf which sets the host and enables TLS. Otherwise
you'll need to add a -h <host> and -Z to the command.

rob

More information about the Freeipa-users mailing list