[Freeipa-users] Password Expiration Grace Limit
Dmitri Pal
dpal at redhat.com
Fri Sep 14 19:09:14 UTC 2012
On 09/14/2012 02:52 PM, Rob Crittenden wrote:
> Ott, Dennis wrote:
>> There seems to be nothing in the documentation about a user being able
>> to initiate a password change dialogue after their password has expired,
>> yet it seems that one is able to do just that. There is a value in the
>> ldap store, passwordGraceLimit, which is initialized to zero. I have
>> modified that value but it seems to have no effect.
>
> This value is not used by IPA.
>
> I don't believe we have the ability to do this right now. As you
> suggest, some automation may be required to find expired passwords and
> lock them out.
>
>> I would like to limit this ability to just a few days, or alternatively,
>> completely lock out the account once the password has expired.
>
> This would be difficult because administratively-reset accounts have
> their passwords expired to force users to set a new one (so that only
> the end-user knows their password). This would effectively lock
> everyone out.
>
>>
>> Does anyone have any insight as to how to do this? If not, is it planned
>> for a future release?
>
> No plans for this AFAIK. Feel free to file an enhancement request
> ticket on our Trac site, https://fedorahosted.org/freeipa/
>
>> I suppose I could look at a script running daily that would lock the
>> account if the user’s password has expired in the last X hours, but I
>> was hoping for something builtin.
>
This is related https://fedorahosted.org/freeipa/ticket/1539
> regards
>
> rob
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-users
mailing list