[Freeipa-users] Password Expiration Grace Limit
Dmitri Pal
dpal at redhat.com
Fri Sep 14 18:50:39 UTC 2012
On 09/14/2012 02:33 PM, Ott, Dennis wrote:
>
> There seems to be nothing in the documentation about a user being able
> to initiate a password change dialogue after their password has
> expired, yet it seems that one is able to do just that. There is a
> value in the ldap store, passwordGraceLimit, which is initialized to
> zero. I have modified that value but it seems to have no effect.
>
>
>
> I would like to limit this ability to just a few days, or
> alternatively, completely lock out the account once the password has
> expired.
>
>
>
> Does anyone have any insight as to how to do this? If not, is it
> planned for a future release?
>
>
>
> I suppose I could look at a script running daily that would lock the
> account if the user's password has expired in the last X hours, but I
> was hoping for something builtin.
>
>
>
> Any help is appreciated.
>
>
>
AFAIR this is the first request of this kind. We allow to change the
password even after expiration. The main reason is that newly created
accounts need to change passwords so they are marked as immediately
expired. But it might take some time for user to actually log into the
system for the first time this is why we never thought about the use
case described. So I suspect we do not have any grace period enforced.
It might be a bug.
Simo, what do you think ?
>
>
> Dennis
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120914/9d2eb466/attachment.htm>
More information about the Freeipa-users
mailing list