IPA problems
Hi all,
Problem (1)
I'm being having a serious issue with the password global_policy in the ipa server.
Not too long ago I set up the Max Lifetime to 99999 in the global_policy for the password.
The change didn't get reflected across all the users, this policy takes effect only for new users.
The old user are still in the 90 days policy.
my goal is to change the krbPasswordExpiration without having to reset the password all my users is this possible?
Problem(2)
I have several standard groups defined in the IPA server.
For some reason when I do list members belonging to a particular group the list shows half of the members that I added into that group. The odd thing is that when I run the command ipa user-show johnsmith the user information show up correctly and I can see the group with the right gid. But if I issue the command ipa group-show groupName , johnsmith is not in the group as it supposed to be. It seems like that groups are loosing reference to their member users.
Is there any way to fix this ? I would appreciate if anyone can sshed some light on this.
Thank you
Marcello
Responses
Red Hat
Active Contributor
254 points
Hi Marcello,
I will have to do a little bit of research, but before doing so I want to make sure you are running the latest RHEL6.3/IPA2.2. Can you please confirm?
-Chris
Red Hat
Active Contributor
254 points
Marcello,
I did run a quick test on the global password policy and noticed that the "Max lifetime" seemed to take affect immediately for individual users:
# ipa pwpolicy-mod global_policy --maxlife 99999
Group: global_policy
Max lifetime (days): 99999
Min lifetime (hours): 1
History size: 0
Character classes: 0
Min length: 8
Max failures: 6
Failure reset interval: 60
Lockout duration: 600
# ipa pwpolicy-show --user=chris
Group: global_policy
Max lifetime (days): 99999
Min lifetime (hours): 1
History size: 0
Character classes: 0
Min length: 8
Max failures: 6
Failure reset interval: 60
Lockout duration: 600
Are you seeing different behavior?
-Chris
>> do I have to reset the user password everytime I change the value of the Max Lifetime field?
The max age is calculated based on the policy applicable to user when he changes the password (and it's stored in krbPasswordExpiration), changing the policy wont change the krbPasswordExpiration value that already exists, so you have to,
1. let users change password, so they'll have the updated Max life time for their password.
or
Update 'krbPasswordExpiration' attribute for the users manually.
For example:
# ldapmodify -x -D cn="Directory Manager" -w <DMs passwd>
dn: uid=ipa-ldap1,cn=users,cn=accounts,dc=gsslab,dc=pnq,dc=redhat,dc=com
changetype: modify
replace: krbpasswordexpiration
krbpasswordexpiration: 20150205082946Z
modifying entry "uid=ipa-ldap1,cn=users,cn=accounts,dc=gsslab,dc=pnq,dc=redhat,dc=com"
You have to run the above (script it, or pre-create an ldif with necessary contents) for all users.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.