[Freeipa-users] password expiration
Tamas Papp
tompos at martos.bme.hu
Tue Jun 2 19:11:45 UTC 2015
On 06/02/2015 02:00 PM, Martin Kosek wrote:
> On 06/02/2015 11:42 AM, Tamas Papp wrote:
>>
>> On 06/02/2015 10:35 AM, Martin Kosek wrote:
>>> You would need to do the modifications as Directory Manager or other user in
>>> "admins"group.
>>>
>>> To resolve this, you would need manually fix admin entry attribute
>>> krbPasswordExpiration to some future date, kinit as admin and then fixing the
>>> global policy with some sane value (pwpolicy-mod).
>> How can this work? It forces me to change the password again after kinit.
> You would need to use ldapmodify and bind as Directory Manager to do this, you
> cannot change krbPasswordExpiration with IPA user (IIRC).
I mean I changed that entry with ldapmodify, than kinit admin and it
forced me to change the password, GOTO 1:)
But if I understand correctly I should have changed other attribute as
well;)
>> For some reason another user with admin rights was able to login and we were
>> able to fix the policy so far.
> With that other admin user, you can simply call "ipa passwd" on the original
> admin, assign temporary password and have him change it on the first login.
Yes, everything is back to normal operation now.
Thanks for your prompt attention!
tamas
More information about the Freeipa-users
mailing list