[Freeipa-users] How to unset a user's kerberos principal expiration date?
Rob Crittenden
rcritten at redhat.com
Thu Jun 30 13:14:42 UTC 2016
David Kupka wrote:
> On 29/06/16 19:05, Roderick Johnstone wrote:
>> Hi
>>
>> If I set a kerberos principal for a user to expire on a given date using:
>> ipa user-mod <user> --principal-expiration=DATE
>> is it possible to later remove this expiration date rather than just set
>> it to a time far in the future?
>>
>> Thanks
>>
>> Roderick Johnstone
>>
>
> Hello Roderick,
> AFAIK the only way to remove principal expiration at the time is remove
> krbPrincipalExpiration attribute from the user entry in DS.
>
> $ kinit admin
> Password for admin at EXAMPLE.ORG
> $ ldapmodify -Y GSSAPI
> SASL/GSSAPI authentication started
> SASL username: admin at EXAMPLE.ORG
> SASL SSF: 56
> SASL data security layer installed.
> dn:uid=tuser,cn=users,cn=accounts,dc=example,dc=org
> changetype: modify
> delete: krbprincipalexpiration
> modifying entry "uid=tuser,cn=users,cn=accounts,dc=example,dc=org"
>
> I think that it makes sense to expose this in API. Could you please file
> RFE (https://fedorahosted.org/freeipa/newticket)?
>
You just need to pass in a blank value:
$ ipa user-mod <user> --principal-expiration=
rob
More information about the Freeipa-users
mailing list