[Freeipa-users] Account Expiration

Rob Crittenden rcritten at redhat.com
Thu Feb 7 03:24:28 UTC 2013 

James James wrote:
> Can somebody gives me some help to set krbPrincipalExpiration from the
> freeipa ui ?

You can't set this in the web UI.

You can do it from the command line using ldapmodify with:

$ ldapmodify -x -D 'cn=Directory Manager' -W
Enter LDAP Password:
dn: uid=tuser1,cn=users,cn=accounts,dc=example,dc=com
changetype: modify
replace: krbPasswordExpiration
krbPasswordExpiration: 20200508032114Z

^D

rob
>
> Many thanks
>
>
> 2013/1/28 James James <jreg2k at gmail.com <mailto:jreg2k at gmail.com>>
>
>     Hi Martin,
>     thanks a lot for your answer. The krbPrincipalExpiration should do
>     the job.
>
>     Regards.
>
>
>     2013/1/28 Martin Kosek <mkosek at redhat.com <mailto:mkosek at redhat.com>>
>
>         On 01/28/2013 12:14 PM, James James wrote:
>          > Hi, in 389-ds there is a nice plugin I love,  it's account
>         policy. You can set
>          > account expiration date and the account will be inactive at
>         this day.
>          >
>          >
>         http://directory.fedoraproject.org/wiki/Account_Policy_Design#Detailed_Design_of_Account_Expiration
>          >
>          > Is there a way to have this feature with freeipa ?
>          >
>          > Regards.
>          >
>          >
>          > James
>          >
>
>         Hello James,
>
>         FreeIPA user plugin does not support this feature, you would
>         need to hack it in
>         the plugin yourselves (patches welcome :-).
>
>         Generally, you should be able to set account expiration to
>         krbPrincipalExpiration attribute of the user account and it
>         should just work.
>         You can also check few tickets we have already few tickets filed
>         for better
>         handling of this attribute:
>
>         https://fedorahosted.org/freeipa/ticket/3062
>         [RFE] Allow admins to change expiration attribute for the accounts
>
>         https://fedorahosted.org/freeipa/ticket/3305
>         KrbPrincipalExpiration should be checked in pre-bind op
>
>         https://fedorahosted.org/freeipa/ticket/3306
>         [RFE] Expose the krbPrincipalExpiration attribute for editing in
>         the IPA CLI /
>         WEBUI
>
>
>         Anyway, if you want a support for this particular plugin, you
>         can file an RFE
>         to Trac/Bugzilla  which we will further process.
>
>         HTH,
>         Martin
>
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>

More information about the Freeipa-users mailing list