[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Freeipa-users] Password Expiration Grace Limit



On Fri, 2012-09-14 at 14:50 -0400, Dmitri Pal wrote:
> On 09/14/2012 02:33 PM, Ott, Dennis wrote: 
> > There seems to be nothing in the documentation about a user being
> > able to initiate a password change dialogue after their password has
> > expired, yet it seems that one is able to do just that. There is a
> > value in the ldap store, passwordGraceLimit, which is initialized to
> > zero. I have modified that value but it seems to have no effect.
> > 
> >  
> > 
> > I would like to limit this ability to just a few days, or
> > alternatively, completely lock out the account once the password has
> > expired. 
> > 
> >  
> > 
> > Does anyone have any insight as to how to do this? If not, is it
> > planned for a future release?
> > 
> >  
> > 
> > I suppose I could look at a script running daily that would lock the
> > account if the user’s password has expired in the last X hours, but
> > I was hoping for something builtin.
> > 
> >  
> > 
> > Any help is appreciated.
> > 
> >  
> > 
> > 
> AFAIR this is the first request of this kind. We allow to change the
> password even after expiration. The main reason is that newly created
> accounts need to change passwords so they are marked as immediately
> expired. But it might take some time for user to actually log into the
> system for the first time this is why we never thought about the use
> case described. So I suspect we do not have any grace period enforced.
> 
> It might be a bug. 
> 
> Simo, what do you think ?

Sounds like material for a Feature Request.

I think setting a grace period is a good idea, and have the nice side
effect of automatically locking new accounts if the user never use them.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]