[Freeipa-users] Remove password exiration after useradd
Martin Kosek
mkosek at redhat.com
Thu Feb 5 14:01:26 UTC 2015
On 02/05/2015 01:21 PM, Dmitri Pal wrote:
> On 02/05/2015 05:54 AM, Matt . wrote:
>> In the past we have done some testsetups with password expiring after
>> we added a user, at the moment I have difficulties with this on 4.1.2
>>
>> What I need is the following:
>>
>> - We add a user using json/kinit
>> - The user is added in the right way
>> - tThe user should be able to use his set password by the admin (at least ldap)
>>
>> At the moment the password is expired directly and I tried adding the
>> user with min/max lifetime to 0/0 which didn't work out. Als 0/500
>> doesn't seem to fix my issue.
>>
>> I thought we had to do a little but more to accomplish this, but I'm
>> not able to find this (anymore)
>>
>> Does someone have a clue how to fix this ? I'm quite sure this is possible.
>>
>> Thanks,
>>
>> Matt
>>
> It was always the feature of IPA to require password change on the first login
> after it was created.
Yup. You can do some more reading here:
http://www.freeipa.org/page/New_Passwords_Expired
> If you do not want it to be expired you need to change the expiration attribute
> of the account not min max life.
Not sure what you mean now. But the administratively set passwords are always
expired from the beginning, so the user has to change it. Then, the password
policy applies.
When you want to have non-expired passwords when added via some 3rd password
management service, you would need to set it's principal as password
synchronization agent (see the referred wiki page).
Martin
More information about the Freeipa-users
mailing list