[Freeipa-users] Remove password exiration after useradd

Thu Feb 5 21:04:32 UTC 2015

Matt . wrote:
> OK this works out good, I can login without changing my password directly.
> 
> But my expire is still on a day which should be set higer.
> 
> min is on 0 everywhere, max is 90 days.
> 
> How to accomplish that ?

I can't think of a way without modifying code.

Changing the password model has consequences.

rob

> 
> 
> 
> 2015-02-05 17:13 GMT+01:00 Matt . <yamakasi.014 at gmail.com>:
>> Yes, when receiving your email I found that indeed. My ldapEditor
>> doesn't allow me to add that value, so this need to be done using the
>> commandline ?
>>
>>
>>
>> 2015-02-05 15:03 GMT+01:00 Rob Crittenden <rcritten at redhat.com>:
>>> Matt . wrote:
>>>> HI,
>>>>
>>>> I'm already doing so without any luck. If you remember something,
>>>> would be nice to know!
>>>>
>>>> So it should be possible to do still ?
>>>
>>> If the DN of the entry adding the password is in passSyncManagersDNs in
>>> the entry dn: cn=ipa_pwd_extop,cn=plugins,cn=config then the password
>>> will not be marked as expired (password policy is not applied at all IIRC).
>>>
>>> rob
>>>
>>>>
>>>> 2015-02-05 14:26 GMT+01:00 Dmitri Pal <dpal at redhat.com>:
>>>>> On 02/05/2015 07:59 AM, Matt . wrote:
>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> OK, but as far as I understand we made some change, using a
>>>>>> commandline command which I cannot remember or find, which goes around
>>>>>> the password policy, or the attribute you talk about, when you add a
>>>>>> user.
>>>>>>
>>>>>> Can I change that globally? As we did it seems... but we were testing
>>>>>> so much back those days that it seems to be lost or so.
>>>>>
>>>>>
>>>>> I do not remember the detils from top of my head. You can probably try to
>>>>> search the mail archives.
>>>>>
>>>>>>
>>>>>>
>>>>>> Thanks,
>>>>>>
>>>>>> Matt
>>>>>>
>>>>>> 2015-02-05 13:21 GMT+01:00 Dmitri Pal <dpal at redhat.com>:
>>>>>>>
>>>>>>> On 02/05/2015 05:54 AM, Matt . wrote:
>>>>>>>>
>>>>>>>> In the past we have done some testsetups with password expiring after
>>>>>>>> we added a user, at the moment I have difficulties with this on 4.1.2
>>>>>>>>
>>>>>>>> What I need is the following:
>>>>>>>>
>>>>>>>> - We add a user using json/kinit
>>>>>>>> - The user is added in the right way
>>>>>>>> - tThe user should be able to use his set password by the admin (at
>>>>>>>> least
>>>>>>>> ldap)
>>>>>>>>
>>>>>>>> At the moment the password is expired directly and I tried adding the
>>>>>>>> user with min/max lifetime to 0/0 which didn't work out. Als 0/500
>>>>>>>> doesn't seem to fix my issue.
>>>>>>>>
>>>>>>>> I thought we had to do a little but more to accomplish this, but I'm
>>>>>>>> not able to find this (anymore)
>>>>>>>>
>>>>>>>> Does someone have a clue how to fix this ? I'm quite sure this is
>>>>>>>> possible.
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>>
>>>>>>>> Matt
>>>>>>>>
>>>>>>> It was always the feature of IPA to require password change on the first
>>>>>>> login after it was created.
>>>>>>> If you do not want it to be expired you need to change the expiration
>>>>>>> attribute of the account not min max life.
>>>>>>>
>>>>>>> --
>>>>>>> Thank you,
>>>>>>> Dmitri Pal
>>>>>>>
>>>>>>> Sr. Engineering Manager IdM portfolio
>>>>>>> Red Hat, Inc.
>>>>>>>
>>>>>>> --
>>>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>> Go To http://freeipa.org for more info on the project
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Thank you,
>>>>> Dmitri Pal
>>>>>
>>>>> Sr. Engineering Manager IdM portfolio
>>>>> Red Hat, Inc.
>>>>>
>>>>
>>>