[Freeipa-users] Can't change password of FreeIPA admin - “Current password's minimum life has not expired”
Rob Crittenden
rcritten at redhat.com
Mon Jun 30 13:03:46 UTC 2014
Alex Chistyakov wrote:
> Hello,
>
> We have a FreeIPA-based system, admin's password has expired and needs to be changed but the standard password changing procedure over SSH fails:
>
> sashka at cellar ~ ssh admin at ipa.xxxxxxxxxx.com
> admin at ipa.goodwix.com's password:
> Password expired. Change your password now.
> Last failed login: Mon Jun 30 15:38:21 MSK 2014 from 116.10.191.195 on ssh:notty
> There were 6071 failed login attempts since the last successful login.
> Last login: Wed Apr 16 19:28:54 2014
> WARNING: Your password has expired.
> You must change your password now and login again!
> Changing password for user admin.
> Current Password:
> New password:
> Retype new password:
> Password change failed. Server message: Current password's minimum life has not expired
>
> Password not changed.
> passwd: Authentication token manipulation error
> Connection to ipa.xxxxxxxxxx.com closed.
>
> If we try to change the password using passwd it fails too with the same error message:
>
> [admin at ipa ~]$ passwd
> Changing password for user admin.
> Current Password:
> New password:
> Retype new password:
> Password change failed. Server message: Current password's minimum life has not expired
>
> Password not changed.
> passwd: Authentication token manipulation error
> [admin at ipa ~]$
>
> What should we do to resolve this situation?
I'd eventually look at your password policy to see what the min/max
values are.
To force a password change and avoid password policy you need to bind as
the Directory Manager. Using ldappasswd will help with that:
$ ldappasswd -x -D 'cn=Directory Manager' -W
uid=admin,cn=users,cn=accounts,dc=example,dc=com -A -S
Old password:
Re-enter old password:
New password:
Re-enter new password:
Enter LDAP Password:
I'd run this on the IPA master for easeo-of-use. It should havea
pre-configured ldap.conf which sets the host and enables TLS. Otherwise
you'll need to add a -h <host> and -Z to the command.
rob
More information about the Freeipa-users
mailing list