[Freeipa-users] How to unset a user's kerberos principal expiration date?
David Kupka
dkupka at redhat.com
Thu Jun 30 07:21:48 UTC 2016
On 29/06/16 19:05, Roderick Johnstone wrote:
> Hi
>
> If I set a kerberos principal for a user to expire on a given date using:
> ipa user-mod <user> --principal-expiration=DATE
> is it possible to later remove this expiration date rather than just set
> it to a time far in the future?
>
> Thanks
>
> Roderick Johnstone
>
Hello Roderick,
AFAIK the only way to remove principal expiration at the time is remove
krbPrincipalExpiration attribute from the user entry in DS.
$ kinit admin
Password for admin at EXAMPLE.ORG
$ ldapmodify -Y GSSAPI
SASL/GSSAPI authentication started
SASL username: admin at EXAMPLE.ORG
SASL SSF: 56
SASL data security layer installed.
dn:uid=tuser,cn=users,cn=accounts,dc=example,dc=org
changetype: modify
delete: krbprincipalexpiration
modifying entry "uid=tuser,cn=users,cn=accounts,dc=example,dc=org"
I think that it makes sense to expose this in API. Could you please file
RFE (https://fedorahosted.org/freeipa/newticket)?
--
David Kupka
More information about the Freeipa-users
mailing list