[Freeipa-users] IdM Password Expiration

Robert Locke rlocke at redhat.com
Wed Aug 5 13:55:19 UTC 2015 

On Wed, 2015-08-05 at 10:31 +0200, David Kupka wrote:
> On 04/08/15 17:01, Robert Locke wrote:
> > Hey folks,
> >
> > I have been using the following to adjust the Password Expiration of
> > accounts in IdM/IPA:
> >          echo "$ADMIN_PASS" | kinit admin
> >          echo -e "dn:
> > uid=rheluseri,cn=users,cn=accounts,dc=example,dc=com\nchangetype: modify
> > \nreplace: krbPasswordExpiration\nkrbPasswordExpiration: 20300101000000Z
> > \n" | ldapmodify -x -D 'cn=Directory Manager' -w $ADMIN_PASS
> >
> > This has worked nicely for me.
> >
> > My "new" problem is that the admin account itself expires after 90 days.
> > I thought since ldapsearch does show the admin account, that simply
> > substituting the uid might work.
> >
> >          echo -e "dn: uid=admin,cn=users,cn=accounts,dc=example,dc=com
> > \nchangetype: modify\nreplace: krbPasswordExpiration
> > \nkrbPasswordExpiration: 20300101000000Z\n" | ldapmodify -x -D
> > 'cn=Directory Manager' -w $ADMIN_PASS
> >
> > My attempts to adjust the admin account in this similar fashion have
> > been not surprisingly unsuccessful.
> >
> > Suggestions/pointers?
> >
> > --Rob
> >
> >
> >
> Hello,
> I just tried to set krbPasswordExpiration attribute for admin and it 
> worked as expected:
> 
> $ ipa user-show admin --all
>    dn: uid=admin,cn=users,cn=accounts,dc=example,dc=com
>    User login: admin
>    ...
>    krbpasswordexpiration: 20200101000000Z
>    ...
> 
> $ echo -e "dn: 
> uid=admin,cn=users,cn=accounts,dc=example,dc=com\nchangetype: 
> modify\nreplace: krbPasswordExpiration\nkrbPasswordExpiration: 
> 20300101000000Z\n" | ldapmodify -x -D 'cn=Directory Manager' -w $DM_PASS
> modifying entry "uid=admin,cn=users,cn=accounts,dc=example,dc=com"
> 
> $ ipa user-show admin --all
>    dn: uid=admin,cn=users,cn=accounts,dc=example,dc=com
>    User login: admin
>    ...
>    krbpasswordexpiration: 20300101000000Z
>    ...
> 
> Could you provide more information about what is failing? Only thing 
> that comes to my mind is that you're using $ADMIN_PASS variable where 
> Directory Manager password is required but I know it's just name of the 
> variable.
> 

You're right. It was my mistake.

My reality is that $ADMIN_PASS is used to set both the Directory Manager
and admin passwords initially during ipa-server-install. When I was
faced with having to change the admin password, I failed to realize that
the Directory Manager password had remained the same, so all my
"testing" was simply using the wrong new password of admin when I simply
needed to use the old password of Directory Manager.

Sorry for the noise. And thanks for checking it on me.

--Rob

-- 
Robert Locke                 Google Voice: (203) 794-6007
Senior Curriculum Developer             rlocke at redhat.com
GnuPG: A334 CAB1 451A 6083 CDD8  40FE A5DE E418 82E0 0780

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150805/18f3dc37/attachment.sig>

More information about the Freeipa-users mailing list