On Mon, Jul 6, 2020 at 10:23 PM White, Daniel E. (GSFC-770.0)[NICS] via FreeIPA-users <[email protected]> wrote: > > Is it worth a Feature Request ? Either here or at Red Hat ?
Ideally through Red Hat Support yes. > ______________________________________________________________________________________________ > > > > Daniel E. White > [email protected] > > NICS Linux Engineer > NASA Goddard Space Flight Center > 8800 Greenbelt Road > Building 14, Room E175 > Greenbelt, MD 20771 > > Office: (301) 286-6919 > > Mobile: (240) 513-5290 > > > > From: Rob Crittenden <[email protected]> > Date: Monday, July 6, 2020 at 16:12 > To: FreeIPA <[email protected]> > Cc: Daniel White <[email protected]> > Subject: [EXTERNAL] Re: [Freeipa-users] Password Policy Question > > > > White, Daniel E. (GSFC-770.0)[NICS] via FreeIPA-users wrote: > > Are there settings in FreeIPA similar to the setting available from the > > chage command ? I am specifically looking for a setting for the time > > after a password expires to allow the user to update it. > > > > > > > > I am looking for the same "grace period" that the non-IPA shell password > > has. From the change man page: > > > > -M, --maxdays MAX_DAYS > > Set the maximum number of days during which a password is valid. When > > MAX_DAYS plus LAST_DAY is less than the current day, the user will be > > required to change his/her password before being able to use his/her > > account. > > -I, --inactive INACTIVE > > Set the number of days of inactivity after a password has expired before > > the account is locked. The INACTIVE option is the number of days of > > inactivity. A user whose account is locked must contact the system > > administrator before being able to use the system again. > > > > > > > > I find nothing like this in the documentation. > > > > I do know, however, that when a user is initially created, the password > > expire time is set to the current clock time. > > When the user logs in for the first time, they are prompted to change > > their password. > > I am looking for a parameter -- like chage's INACTIVE -- that defines a > > grace period from the time the password expires until the account is > > locked and requires admin intervention. > > > > Or does that only happen for the account creation ? > > > > There is nothing automated to do this. Theoretically you could use > > krbprincipalexpiration to enforce this but there is nothing that will > > add some offset to it when a password is changed. > > > > I think it would be fairly straightforward to add but it would require a > > new policy attribute, new CLI/UI to manage that attribute, etc. > > > > The actual setting of the attribute is probably like 5 lines of code. > > > > rob > > > > > > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
