[Freeipa-users] IdM Password Expiration

[David Kupka]

On 04/08/15 17:01, Robert Locke wrote:
> Hey folks,
>
> I have been using the following to adjust the Password Expiration of
> accounts in IdM/IPA:
>          echo "$ADMIN_PASS" | kinit admin
>          echo -e "dn:
> uid=rheluseri,cn=users,cn=accounts,dc=example,dc=com\nchangetype: modify
> \nreplace: krbPasswordExpiration\nkrbPasswordExpiration: 20300101000000Z
> \n" | ldapmodify -x -D 'cn=Directory Manager' -w $ADMIN_PASS
>
> This has worked nicely for me.
>
> My "new" problem is that the admin account itself expires after 90 days.
> I thought since ldapsearch does show the admin account, that simply
> substituting the uid might work.
>
>          echo -e "dn: uid=admin,cn=users,cn=accounts,dc=example,dc=com
> \nchangetype: modify\nreplace: krbPasswordExpiration
> \nkrbPasswordExpiration: 20300101000000Z\n" | ldapmodify -x -D
> 'cn=Directory Manager' -w $ADMIN_PASS
>
> My attempts to adjust the admin account in this similar fashion have
> been not surprisingly unsuccessful.
>
> Suggestions/pointers?
>
> --Rob
>
>
>
Hello,
I just tried to set krbPasswordExpiration attribute for admin and it 
worked as expected:

$ ipa user-show admin --all
   dn: uid=admin,cn=users,cn=accounts,dc=example,dc=com
   User login: admin
   ...
   krbpasswordexpiration: 20200101000000Z
   ...

$ echo -e "dn: 
uid=admin,cn=users,cn=accounts,dc=example,dc=com\nchangetype: 
modify\nreplace: krbPasswordExpiration\nkrbPasswordExpiration: 
20300101000000Z\n" | ldapmodify -x -D 'cn=Directory Manager' -w $DM_PASS
modifying entry "uid=admin,cn=users,cn=accounts,dc=example,dc=com"

$ ipa user-show admin --all
   dn: uid=admin,cn=users,cn=accounts,dc=example,dc=com
   User login: admin
   ...
   krbpasswordexpiration: 20300101000000Z
   ...

Could you provide more information about what is failing? Only thing 
that comes to my mind is that you're using $ADMIN_PASS variable where 
Directory Manager password is required but I know it's just name of the 
variable.

-- 
David Kupka