[Freeipa-users] Remove password exiration after useradd

Thu Feb 5 21:47:43 UTC 2015

I'm quite sure you can without changing code, I need to find out where
it's set again... it's doable.

2015-02-05 22:04 GMT+01:00 Rob Crittenden <rcritten at redhat.com>:
> Matt . wrote:
>> OK this works out good, I can login without changing my password directly.
>>
>> But my expire is still on a day which should be set higer.
>>
>> min is on 0 everywhere, max is 90 days.
>>
>> How to accomplish that ?
>
> I can't think of a way without modifying code.
>
> Changing the password model has consequences.
>
> rob
>
>>
>>
>>
>> 2015-02-05 17:13 GMT+01:00 Matt . <yamakasi.014 at gmail.com>:
>>> Yes, when receiving your email I found that indeed. My ldapEditor
>>> doesn't allow me to add that value, so this need to be done using the
>>> commandline ?
>>>
>>>
>>>
>>> 2015-02-05 15:03 GMT+01:00 Rob Crittenden <rcritten at redhat.com>:
>>>> Matt . wrote:
>>>>> HI,
>>>>>
>>>>> I'm already doing so without any luck. If you remember something,
>>>>> would be nice to know!
>>>>>
>>>>> So it should be possible to do still ?
>>>>
>>>> If the DN of the entry adding the password is in passSyncManagersDNs in
>>>> the entry dn: cn=ipa_pwd_extop,cn=plugins,cn=config then the password
>>>> will not be marked as expired (password policy is not applied at all IIRC).
>>>>
>>>> rob
>>>>
>>>>>
>>>>> 2015-02-05 14:26 GMT+01:00 Dmitri Pal <dpal at redhat.com>:
>>>>>> On 02/05/2015 07:59 AM, Matt . wrote:
>>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> OK, but as far as I understand we made some change, using a
>>>>>>> commandline command which I cannot remember or find, which goes around
>>>>>>> the password policy, or the attribute you talk about, when you add a
>>>>>>> user.
>>>>>>>
>>>>>>> Can I change that globally? As we did it seems... but we were testing
>>>>>>> so much back those days that it seems to be lost or so.
>>>>>>
>>>>>>
>>>>>> I do not remember the detils from top of my head. You can probably try to
>>>>>> search the mail archives.
>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Thanks,
>>>>>>>
>>>>>>> Matt
>>>>>>>
>>>>>>> 2015-02-05 13:21 GMT+01:00 Dmitri Pal <dpal at redhat.com>:
>>>>>>>>
>>>>>>>> On 02/05/2015 05:54 AM, Matt . wrote:
>>>>>>>>>
>>>>>>>>> In the past we have done some testsetups with password expiring after
>>>>>>>>> we added a user, at the moment I have difficulties with this on 4.1.2
>>>>>>>>>
>>>>>>>>> What I need is the following:
>>>>>>>>>
>>>>>>>>> - We add a user using json/kinit
>>>>>>>>> - The user is added in the right way
>>>>>>>>> - tThe user should be able to use his set password by the admin (at
>>>>>>>>> least
>>>>>>>>> ldap)
>>>>>>>>>
>>>>>>>>> At the moment the password is expired directly and I tried adding the
>>>>>>>>> user with min/max lifetime to 0/0 which didn't work out. Als 0/500
>>>>>>>>> doesn't seem to fix my issue.
>>>>>>>>>
>>>>>>>>> I thought we had to do a little but more to accomplish this, but I'm
>>>>>>>>> not able to find this (anymore)
>>>>>>>>>
>>>>>>>>> Does someone have a clue how to fix this ? I'm quite sure this is
>>>>>>>>> possible.
>>>>>>>>>
>>>>>>>>> Thanks,
>>>>>>>>>
>>>>>>>>> Matt
>>>>>>>>>
>>>>>>>> It was always the feature of IPA to require password change on the first
>>>>>>>> login after it was created.
>>>>>>>> If you do not want it to be expired you need to change the expiration
>>>>>>>> attribute of the account not min max life.
>>>>>>>>
>>>>>>>> --
>>>>>>>> Thank you,
>>>>>>>> Dmitri Pal
>>>>>>>>
>>>>>>>> Sr. Engineering Manager IdM portfolio
>>>>>>>> Red Hat, Inc.
>>>>>>>>
>>>>>>>> --
>>>>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>>> Go To http://freeipa.org for more info on the project
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Thank you,
>>>>>> Dmitri Pal
>>>>>>
>>>>>> Sr. Engineering Manager IdM portfolio
>>>>>> Red Hat, Inc.
>>>>>>
>>>>>
>>>>
>