IPA problems

Latest response

Hi all,

 

 

Problem (1)

I'm being having a serious issue with the password global_policy in the ipa server.

Not too long ago I set up the Max Lifetime to 99999 in the global_policy for the password.

The change didn't get reflected across all the users, this policy takes effect only for new users.
The old user are still in the 90 days policy.

my goal is to change the krbPasswordExpiration without having to reset the password all my users is this possible?

 

Problem(2)

I have several standard groups defined in the IPA server.

For some reason when I do list members belonging to a particular group the list shows half of the members that I added into that group. The odd thing is that when I run the command  ipa user-show johnsmith  the user information show up correctly and I can see the group with the right gid. But if I issue the command ipa group-show groupName ,  johnsmith is not in the group as it supposed to be. It seems like that groups are loosing reference to their member users.

Is there any way to fix this ?  I would appreciate if anyone can sshed some light on this.

 

Thank you

Marcello

Responses

Hi Marcello,

 

I will have to do a little bit of research, but before doing so I want to make sure you are running the latest RHEL6.3/IPA2.2. Can you please confirm?

 

-Chris

Marcello,

 

I did run a quick test on the global password policy and noticed that the "Max lifetime" seemed to take affect immediately for individual users:

 

# ipa pwpolicy-mod global_policy --maxlife 99999

Group: global_policy

Max lifetime (days): 99999

Min lifetime (hours): 1

History size: 0

Character classes: 0

Min length: 8

Max failures: 6

Failure reset interval: 60

Lockout duration: 600

 

# ipa pwpolicy-show --user=chris

Group: global_policy

Max lifetime (days): 99999

Min lifetime (hours): 1

History size: 0

Character classes: 0

Min length: 8

Max failures: 6

Failure reset interval: 60

Lockout duration: 600

 

Are you seeing different behavior?

 

-Chris

Hi Chris,

I'm running ipa-server 2.2.
I'm not going to re setup the max life time policy to 99999 since I already changed to 9138. I' m afraid that if I do so I will have to reset all user password. What I can tell you know is that if I run the command
ipa pwpolicy-show --user marcello I see the correct value 9138.
Before when I had 99999, I was seeing a different value than 99999.
In any case what I'm really interested to know is: do I have to reset the user password everytime I change the value of the Max Lifetime field?

thank you for the help
Marcello

 

>>  do I have to reset the user password everytime I change the value of the Max Lifetime field?

 

The max age is calculated based on the policy applicable to user when he changes the password (and it's stored in krbPasswordExpiration), changing the policy wont change the krbPasswordExpiration value that already exists, so you have to,

 

1. let users change password, so they'll have the updated Max life time for their password.

or

Update 'krbPasswordExpiration' attribute for the users manually.

 

For example:

 

# ldapmodify -x -D cn="Directory Manager" -w <DMs passwd>

dn: uid=ipa-ldap1,cn=users,cn=accounts,dc=gsslab,dc=pnq,dc=redhat,dc=com

changetype: modify

replace: krbpasswordexpiration

krbpasswordexpiration: 20150205082946Z

modifying entry "uid=ipa-ldap1,cn=users,cn=accounts,dc=gsslab,dc=pnq,dc=redhat,dc=com"

 

You have to run the above (script it, or pre-create an ldif with necessary contents) for all users.

Najmuddin is correct. While the ipa command shows the Max Lifetime as having changed, existing users must still change their passwords to get the new Max Liftetime to take effect (unless you perform the ldapmodify mentioned instead).

 

-Chris

 

I want to thank Najmuddin and Chris for answering all my questions.

 

Marcello