[Freeipa-users] Password expiry when account provisioned/updated via JSON RPC

Martin Kosek mkosek at redhat.com
Tue Feb 26 08:22:14 UTC 2013 

On 02/25/2013 04:38 PM, Brian Smith wrote:
> It seems that regardless of the global password expiry setting, that setting a
> password via the methods
> 
> user-add
> passwd
> 
> i will always have a password that expires in 90 days.  I followed the
> instructions here http://freeipa.org/page/PasswordSynchronization
> 
> to avoid the immediate expiry, but I need at least 180 days for my
> configuration to work.
> 
> Any help would be appreciated!
> 
> -- 
> Brian Smith
> Assistant Director
> Research Computing, University of South Florida
> 4202 E. Fowler Ave. SVC4010
> Office Phone: +1 813 974-1467
> Organization URL: http://rc.usf.edu
> 

Hello Brian,

Updating maximum password expiration time with "ipa pwpolicy-mod" affects only
new passwords, i.e. password that you already changed will have the old lifetime.

When I tested this on Fedora 18, password change worked for me:

# ipa pwpolicy-mod --maxlife 180
  Group: global_policy
  Max lifetime (days): 180
  Min lifetime (hours): 1
  History size: 0
  Character classes: 0
  Min length: 8
  Max failures: 6
  Failure reset interval: 60
  Lockout duration: 600

# ipa user-add --first=Foo --last=Bar fbar
-----------------
Added user "fbar"
-----------------
  User login: fbar
  First name: Foo
  Last name: Bar
  Full name: Foo Bar
  Display name: Foo Bar
  Initials: FB
  Home directory: /home/fbar
  GECOS field: Foo Bar
  Login shell: /bin/sh
  Kerberos principal: fbar at EXAMPLE.COM
  Email address: fbar at example.com
  UID: 1758200001
  GID: 1758200001
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False
# ipa passwd fbar
New Password:
Enter New Password again to verify:
---------------------------------------
Changed password for "fbar at EXAMPLE.COM"
---------------------------------------

$ ssh fbar at ipa.client.fqdn
fbar at ipa.client.fqdn's password:
Password expired. Change your password now.
Last login: Tue Feb 26 09:16:39 2013 from 10.0.0.1
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user fbar.
Current Password:
New password:
Retype new password:
Your password will expire in 180 day(s).    <<<<<<<<<<<<<<<
passwd: all authentication tokens updated successfully.
Connection to ipa.client.fqdn closed.

Does this usecase work for you or are you hitting a bug?


As for the warning about expiring password, this is a bug in sssd component
which was already fixed upstream:

https://fedorahosted.org/sssd/ticket/1808

Martin

More information about the Freeipa-users mailing list