[Freeipa-users] krbPasswordExpiration field not updating?

Rob Crittenden rcritten at redhat.com
Tue May 8 13:43:13 UTC 2012


Dan Scott wrote:
> On Tue, May 8, 2012 at 1:55 AM,<freeipa at noboost.org>  wrote:
>> Hi,
>>
>> Spec:
>> Red Hat Enterprise Linux Server release 6.2 (Santiago)
>>   ipa-admintools-2.1.3-9.el6.x86_64
>>   ipa-client-2.1.3-9.el6.x86_64
>>   ipa-pki-ca-theme-9.0.3-7.el6.noarch
>>   ipa-pki-common-theme-9.0.3-7.el6.noarch
>>   ipa-python-2.1.3-9.el6.x86_64
>>   ipa-server-2.1.3-9.el6.x86_64
>>   ipa-server-selinux-2.1.3-9.el6.x86_64
>>
>> Issue:
>> Firstly I'll declare someone must have seen this by now?
>>
>> I've set the password policy to 99999;
>> [root at sysvm-ipa ~]# ipa pwpolicy-show
>>   Group: global_policy
>>   Max lifetime (days): 99999
>>   Min lifetime (hours): 1
>>   History size: 0
>>   Character classes: 0
>>   Min length: 6
>>   Max failures: 6
>>   Failure reset interval: 60
>>   Lockout duration: 600
>>
>> But old accounts are not getting the change at the ldap level, even
>> though IPA claims the expiry date has updated.
>> e.g.
>> [root at sysvm-ipa ~]# ipa pwpolicy-show --user=john
>>   Group: global_policy
>>   Max lifetime (days): 99999
>>   Min lifetime (hours): 1
>>   History size: 0
>>   Character classes: 0
>>   Min length: 6
>>   Max failures: 6
>>   Failure reset interval: 60
>>   Lockout duration: 600
>>
>>
>> ldapsearch (command chopped)
>> # john, users, accounts, teratext.saic.com.au
>> dn: uid=john,cn=users,cn=accounts,dc=example,dc=com
>> krbPasswordExpiration: 20120506011529Z
>>
>>
>> So now when the user(s) logs in, I'm getting "password will expire in XX
>> days" messages.
>>
>> Any ideas?
>> Can I globally update this somehow, otherwise I'll be re-typing
>> passwords for a while.
>
> A password reset by admin always expires the password. I think once
> the user first changes their password it will have the lifetime that
> you specified.
>
> You can force the expiration date using an ldapmodify command:
>
> ldapmodify -x -D 'cn=directory manager' -W -h $IPA_SERVER -p 389 -vv
> -f update_krbpasswordexpiration.ldif
>
> Where the update_krbpasswordexpiration.ldif file contains:
>
> dn: uid=$USERNAME,cn=users,cn=accounts,dc=example,dc=com
> changetype: modify
> replace: krbpasswordexpiration
> krbpasswordexpiration: 20140202203734Z
>
> You could do this as admin if you have a ticket so that you don't have
> to enter the directory manager password.

This is great, thanks Dan.

BTW the equivalent command using a Kerberos ticket is:

$ ldapmodify -Y GSSAPI -h $IPA_SERVER -p 389 -vv -f 
update_krbpasswordexpiration.ldif

rob




More information about the Freeipa-users mailing list