[Freeipa-users] IdM Password Expiration
David Kupka
dkupka at redhat.com
Wed Aug 5 08:31:28 UTC 2015
On 04/08/15 17:01, Robert Locke wrote:
> Hey folks,
>
> I have been using the following to adjust the Password Expiration of
> accounts in IdM/IPA:
> echo "$ADMIN_PASS" | kinit admin
> echo -e "dn:
> uid=rheluseri,cn=users,cn=accounts,dc=example,dc=com\nchangetype: modify
> \nreplace: krbPasswordExpiration\nkrbPasswordExpiration: 20300101000000Z
> \n" | ldapmodify -x -D 'cn=Directory Manager' -w $ADMIN_PASS
>
> This has worked nicely for me.
>
> My "new" problem is that the admin account itself expires after 90 days.
> I thought since ldapsearch does show the admin account, that simply
> substituting the uid might work.
>
> echo -e "dn: uid=admin,cn=users,cn=accounts,dc=example,dc=com
> \nchangetype: modify\nreplace: krbPasswordExpiration
> \nkrbPasswordExpiration: 20300101000000Z\n" | ldapmodify -x -D
> 'cn=Directory Manager' -w $ADMIN_PASS
>
> My attempts to adjust the admin account in this similar fashion have
> been not surprisingly unsuccessful.
>
> Suggestions/pointers?
>
> --Rob
>
>
>
Hello,
I just tried to set krbPasswordExpiration attribute for admin and it
worked as expected:
$ ipa user-show admin --all
dn: uid=admin,cn=users,cn=accounts,dc=example,dc=com
User login: admin
...
krbpasswordexpiration: 20200101000000Z
...
$ echo -e "dn:
uid=admin,cn=users,cn=accounts,dc=example,dc=com\nchangetype:
modify\nreplace: krbPasswordExpiration\nkrbPasswordExpiration:
20300101000000Z\n" | ldapmodify -x -D 'cn=Directory Manager' -w $DM_PASS
modifying entry "uid=admin,cn=users,cn=accounts,dc=example,dc=com"
$ ipa user-show admin --all
dn: uid=admin,cn=users,cn=accounts,dc=example,dc=com
User login: admin
...
krbpasswordexpiration: 20300101000000Z
...
Could you provide more information about what is failing? Only thing
that comes to my mind is that you're using $ADMIN_PASS variable where
Directory Manager password is required but I know it's just name of the
variable.
--
David Kupka
More information about the Freeipa-users
mailing list