[Freeipa-users] Password Expiration Grace Limit

Dmitri Pal dpal at redhat.com
Fri Sep 14 19:10:27 UTC 2012


On 09/14/2012 03:02 PM, Simo Sorce wrote:
> On Fri, 2012-09-14 at 14:50 -0400, Dmitri Pal wrote:
>> On 09/14/2012 02:33 PM, Ott, Dennis wrote: 
>>> There seems to be nothing in the documentation about a user being
>>> able to initiate a password change dialogue after their password has
>>> expired, yet it seems that one is able to do just that. There is a
>>> value in the ldap store, passwordGraceLimit, which is initialized to
>>> zero. I have modified that value but it seems to have no effect.
>>>
>>>  
>>>
>>> I would like to limit this ability to just a few days, or
>>> alternatively, completely lock out the account once the password has
>>> expired. 
>>>
>>>  
>>>
>>> Does anyone have any insight as to how to do this? If not, is it
>>> planned for a future release?
>>>
>>>  
>>>
>>> I suppose I could look at a script running daily that would lock the
>>> account if the user’s password has expired in the last X hours, but
>>> I was hoping for something builtin.
>>>
>>>  
>>>
>>> Any help is appreciated.
>>>
>>>  
>>>
>>>
>> AFAIR this is the first request of this kind. We allow to change the
>> password even after expiration. The main reason is that newly created
>> accounts need to change passwords so they are marked as immediately
>> expired. But it might take some time for user to actually log into the
>> system for the first time this is why we never thought about the use
>> case described. So I suspect we do not have any grace period enforced.
>>
>> It might be a bug. 
>>
>> Simo, what do you think ?
> Sounds like material for a Feature Request.
>
> I think setting a grace period is a good idea, and have the nice side
> effect of automatically locking new accounts if the user never use them.
>
> Simo.
>
Dennis,

Can you file a ticket please or add to if you think they are related
https://fedorahosted.org/freeipa/ticket/1539

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/






More information about the Freeipa-users mailing list