[Freeipa-users] non-expiring password policy (or as close as I can come)
Rob Crittenden
rcritten at redhat.com
Thu Jan 24 22:03:00 UTC 2013
KodaK wrote:
> I have a need to have certain mission critical application accounts
> non-expiring (people don't log in directly, but if the accounts expire
> it could stop production jobs.)
>
> I've set "Max lifetime (days)" to 99999 in the web interface, but
> here's what I see when I do "ipa pwpolicy show":
>
> Group: application-accounts
> Max lifetime (days): 8639913600
> Min lifetime (hours): 0
> History size: 0
> Character classes: 3
> Min length: 8
> Priority: 0
> Max failures: 0
> Failure reset interval: 0
> Lockout duration: 0
>
> I have a user that is a member of the application-accounts group and
> they reset their password yesterday, but their password is set to
> expire in three months:
>
> krbpasswordexpiration: 20130423220808Z
> krbpwdpolicyreference: cn=application-accounts
>
> Have I hit some maximum and I'm confusing IPA? Or do I completely
> misunderstand these entries?
>
> I also have a case open with RH on this, but I haven't heard anything
> back yet. If I get this solved through them I'll be sure to reply
> with results.
It is a 32-bit time problem.
I'd set the maxlife no higher than 5000 for now.
rob
More information about the Freeipa-users
mailing list