[Freeipa-users] krbPasswordExpiration field not updating?

Wed May 9 11:21:39 UTC 2012

On 05/09/2012 03:31 AM, Dan Scott wrote:
> On Tue, May 8, 2012 at 8:45 PM,<freeipa at noboost.org>  wrote:
>> On Tue, May 08, 2012 at 09:43:13AM -0400, Rob Crittenden wrote:
>>> Dan Scott wrote:
>>>> On Tue, May 8, 2012 at 1:55 AM,<freeipa at noboost.org>    wrote:
>>>>> Hi,
>>>>>
>>>>> Spec:
>>>>> Red Hat Enterprise Linux Server release 6.2 (Santiago)
>>>>>   ipa-admintools-2.1.3-9.el6.x86_64
>>>>>   ipa-client-2.1.3-9.el6.x86_64
>>>>>   ipa-pki-ca-theme-9.0.3-7.el6.noarch
>>>>>   ipa-pki-common-theme-9.0.3-7.el6.noarch
>>>>>   ipa-python-2.1.3-9.el6.x86_64
>>>>>   ipa-server-2.1.3-9.el6.x86_64
>>>>>   ipa-server-selinux-2.1.3-9.el6.x86_64
>>>>>
>>>>> Issue:
>>>>> Firstly I'll declare someone must have seen this by now?
>>>>>
>>>>> I've set the password policy to 99999;
>>>>> [root at sysvm-ipa ~]# ipa pwpolicy-show
>>>>>   Group: global_policy
>>>>>   Max lifetime (days): 99999
>>>>>   Min lifetime (hours): 1
>>>>>   History size: 0
>>>>>   Character classes: 0
>>>>>   Min length: 6
>>>>>   Max failures: 6
>>>>>   Failure reset interval: 60
>>>>>   Lockout duration: 600
>>>>>
>>>>> But old accounts are not getting the change at the ldap level, even
>>>>> though IPA claims the expiry date has updated.
>>>>> e.g.
>>>>> [root at sysvm-ipa ~]# ipa pwpolicy-show --user=john
>>>>>   Group: global_policy
>>>>>   Max lifetime (days): 99999
>>>>>   Min lifetime (hours): 1
>>>>>   History size: 0
>>>>>   Character classes: 0
>>>>>   Min length: 6
>>>>>   Max failures: 6
>>>>>   Failure reset interval: 60
>>>>>   Lockout duration: 600
>>>>>
>>>>>
>>>>> ldapsearch (command chopped)
>>>>> # john, users, accounts, teratext.saic.com.au
>>>>> dn: uid=john,cn=users,cn=accounts,dc=example,dc=com
>>>>> krbPasswordExpiration: 20120506011529Z
>>>>>
>>>>>
>>>>> So now when the user(s) logs in, I'm getting "password will expire in XX
>>>>> days" messages.
>>>>>
>>>>> Any ideas?
>>>>> Can I globally update this somehow, otherwise I'll be re-typing
>>>>> passwords for a while.
>>>>
>>>> A password reset by admin always expires the password. I think once
>>>> the user first changes their password it will have the lifetime that
>>>> you specified.
>>>>
>>>> You can force the expiration date using an ldapmodify command:
>>>>
>>>> ldapmodify -x -D 'cn=directory manager' -W -h $IPA_SERVER -p 389 -vv
>>>> -f update_krbpasswordexpiration.ldif
>>>>
>>>> Where the update_krbpasswordexpiration.ldif file contains:
>>>>
>>>> dn: uid=$USERNAME,cn=users,cn=accounts,dc=example,dc=com
>>>> changetype: modify
>>>> replace: krbpasswordexpiration
>>>> krbpasswordexpiration: 20140202203734Z
>>>>
>>>> You could do this as admin if you have a ticket so that you don't have
>>>> to enter the directory manager password.
>>>
>>> This is great, thanks Dan.
>>>
>>> BTW the equivalent command using a Kerberos ticket is:
>>>
>>> $ ldapmodify -Y GSSAPI -h $IPA_SERVER -p 389 -vv -f
>>> update_krbpasswordexpiration.ldif
>>>
>>> rob
>>>
>> Thanks great advice, so just to clarify, do the rear numbers just
>> represent hours, seconds etc?
>> e.g. krbpasswordexpiration: 20150101203734Z
>>      krbpasswordexpiration: 20150101 [20 37 34 ?] Z (20=hour,37=min,34=sec]?
>
> Yep, and Z indicates GMT.

Question is:
1) Should we document that (and provide a hint in `ipa pwpolicy` output)?
  OR
2) Should ipa pwpolicy do update for all affected principals in LDAP? Just to 
prevent confusion?

I like variant 2, because variant 1 seems to be confusing to me.

Craig, what is user opinion?

Petr^2 Spacek