19.4. Managing Password Expiration Limits

Password policies are applied at the time a password is changed. So, when a password is set, it conforms to the password policy in effect at that time. If the password policy is changed later, that change is not applied, retroactively, to the password.
Setting password expiration periods is configured as part of the group password policy. Creating and editing password policies (including the expiration attribute in the policy) is covered in Section 19.3, “Creating and Editing Password Policies”.
With password expiration periods, there are two attributes that are related:
  • The maximum lifetime setting given in the password policy (--maxlife)
  • The actual date that the password for a given user expires (krbPasswordExpiration)
Changing the password expiration time in the password policy does not affect the expiration date for a user, until the user password is changed. If the password expiration date needs to be changed immediately, it can be changed by editing the user entry.
To force the expiration date to change, reset the krbPasswordExpiration attribute value for the user. This can only be done using ldapmodify. For example, for a single user:
[bjensen@ipaserver ~]$ ldapmodify -D "cn=Directory Manager" -w secret -h ipaserver.example.com -p 389 -vv

dn: uid=jsmith,cn=users,cn=accounts,dc=example,dc=com
changetype: modify
replace: krbpasswordexpiration
krbpasswordexpiration: 20140202203734Z
Multiple entries can be edited simultaneously by referencing an LDIF file in the -f option with the ldamodify command.


If an administrator resets a password, it expires the previous password and forces the user to update the password. When the user updates the password, it automatically uses the new password policies, including a new expiration date.