For your amusement: Red Hat Support referred me to https://bugzilla.redhat.com/show_bug.cgi?id=1273040 (A RHEL 7 RFE)
and https://bugzilla.redhat.com/show_bug.cgi?id=1654395 (The same RFE, pushed to RHEL 8) …, saying, "You can also set a policy to automatically disable an account if the password has not been changed within X number of weeks after the password has expired" Maybe I can get some technical detail here. When a new login is created, it has a "temporary" password that must be changed. I have logins I created 4 months ago that have not yet been used. Will the initial password still work ? In the documentation about password policy, referencing the "Max lifetime" attribute, it says , "Example: Max lifetime = 90 -- User passwords are valid only for 90 days. After that, IdM prompts users to change them. " How long can the user wait and still be able to update the password ? What controls these behaviors ? ______________________________________________________________________________________________ Daniel E. White [email protected]<mailto:[email protected]> NICS Linux Engineer NASA Goddard Space Flight Center 8800 Greenbelt Road Building 14, Room E175 Greenbelt, MD 20771 Office: (301) 286-6919 Mobile: (240) 513-5290 From: François Cami <[email protected]> Date: Monday, July 6, 2020 at 16:22 To: FreeIPA <[email protected]> Cc: Daniel White <[email protected]>, Rob Crittenden <[email protected]> Subject: [EXTERNAL] Re: [Freeipa-users] Re: Password Policy Question On Mon, Jul 6, 2020 at 10:12 PM Rob Crittenden via FreeIPA-users <[email protected]<mailto:[email protected]>> wrote: White, Daniel E. (GSFC-770.0)[NICS] via FreeIPA-users wrote: > Are there settings in FreeIPA similar to the setting available from the > chage command ? I am specifically looking for a setting for the time > after a password expires to allow the user to update it. > > > > I am looking for the same "grace period" that the non-IPA shell password > has. From the change man page: > > -M, --maxdays MAX_DAYS > Set the maximum number of days during which a password is valid. When > MAX_DAYS plus LAST_DAY is less than the current day, the user will be > required to change his/her password before being able to use his/her > account. > -I, --inactive INACTIVE > Set the number of days of inactivity after a password has expired before > the account is locked. The INACTIVE option is the number of days of > inactivity. A user whose account is locked must contact the system > administrator before being able to use the system again. > > > > I find nothing like this in the documentation. > > I do know, however, that when a user is initially created, the password > expire time is set to the current clock time. > When the user logs in for the first time, they are prompted to change > their password. > I am looking for a parameter -- like chage's INACTIVE -- that defines a > grace period from the time the password expires until the account is > locked and requires admin intervention. > > Or does that only happen for the account creation ? There is nothing automated to do this. Theoretically you could use krbprincipalexpiration to enforce this but there is nothing that will add some offset to it when a password is changed. I think it would be fairly straightforward to add but it would require a new policy attribute, new CLI/UI to manage that attribute, etc. Or ipa-epn ( https://urldefense.proofpoint.com/v2/url?u=https-3A__pagure.io_freeipa_issue_3687&d=DwIBaQ&c=ApwzowJNAKKw3xye91w7BE1XMRKi2LN9kiMk5Csz9Zk&r=ef_FKlWa7jWGmQqTrjkcoDY1VuVtcI_10ClISjA3_V8&m=RA2y7EwwWifTxZve3lLTsSYYbawQbs5j5mSVBSXHG48&s=eIBk5UeSTUz-v-LuXIcGeg6GwNF3MvP_3vylu3kBWIc&e= ) could be enhanced to do that. It is able to warn users their passwords will expire in the near future ; locking accounts might require running on a replica but adding that feature should be straightforward. The actual setting of the attribute is probably like 5 lines of code. Yes, the change is probably very small. rob _______________________________________________ FreeIPA-users mailing list -- [email protected]<mailto:[email protected]> To unsubscribe send an email to [email protected]<mailto:[email protected]> Fedora Code of Conduct: https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.fedoraproject.org_en-2DUS_project_code-2Dof-2Dconduct_&d=DwIBaQ&c=ApwzowJNAKKw3xye91w7BE1XMRKi2LN9kiMk5Csz9Zk&r=ef_FKlWa7jWGmQqTrjkcoDY1VuVtcI_10ClISjA3_V8&m=RA2y7EwwWifTxZve3lLTsSYYbawQbs5j5mSVBSXHG48&s=GudRxlrLOBc4jj0aypGXFIp2ej1smDQ3xLSpEwboPHc&e= List Guidelines: https://urldefense.proofpoint.com/v2/url?u=https-3A__fedoraproject.org_wiki_Mailing-5Flist-5Fguidelines&d=DwIBaQ&c=ApwzowJNAKKw3xye91w7BE1XMRKi2LN9kiMk5Csz9Zk&r=ef_FKlWa7jWGmQqTrjkcoDY1VuVtcI_10ClISjA3_V8&m=RA2y7EwwWifTxZve3lLTsSYYbawQbs5j5mSVBSXHG48&s=tNn6K6JZCBNp2raUPJn5G7rm3NGmTlaz6YT_GrJ1qcc&e= List Archives: https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.fedorahosted.org_archives_list_freeipa-2Dusers-40lists.fedorahosted.org&d=DwIBaQ&c=ApwzowJNAKKw3xye91w7BE1XMRKi2LN9kiMk5Csz9Zk&r=ef_FKlWa7jWGmQqTrjkcoDY1VuVtcI_10ClISjA3_V8&m=RA2y7EwwWifTxZve3lLTsSYYbawQbs5j5mSVBSXHG48&s=jpZ3DatYvFaw-7xD5N6XRk8oXCRkoE7tObit6Z6S4Xo&e=
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
