[Freeipa-users] Do expired passwords remain usable indefinitely?
Brian Candler
b.candler at pobox.com
Tue Oct 25 10:02:40 UTC 2016
On 25/10/2016 10:50, Prasun Gera wrote:
> When is principal expiration triggered ? I haven't set it explicitly
> for any user, and ipa user-show doesn't show that attribute either.
> I'm not very familiar with kerberos.
It doesn't show it unless it has been set. You can set it like this:
# ipa help user-mod
...
--principal-expiration=DATETIME
Kerberos principal expiration
(This is from IPA under CentOS 7. Older versions might not have this
feature at all).
> And as you and David said earlier, if the principal expires, kinit
> shouldn't work either, right ?
Yes I agree. I have just tried setting krbPasswordExpiration to a very
old time, using ldapmodify.
# ldapmodify -D 'cn=Directory Manager' -W
Enter LDAP Password:
dn: uid=bcandler,cn=users,cn=accounts,dc=ipa,dc=example,dc=com
changetype: modify
replace: krbPasswordExpiration
krbPasswordExpiration: 20010101000000Z
-
^D
But this works for me:
$ sudo -s
[sudo] password for bcandler:
Password expired. Change your password now.
sudo: Account or password is expired, reset your password and try again
Current Password:
New password:
Retype new password:
#
But actually, I didn't try the web UI with an expired password yet. I'll
try that later.
Regards,
Brian.
More information about the Freeipa-users
mailing list