Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

28.5. Changing Password Expiration Date with Immediate Effect

You can use the ipa user-mod or ldapmodify utilities to change the expiration date of a user password.

Changing the expiration date of a user password by using the ipa user-mod utility

  • To enforce an immediate change of the expiration date, use ipa user-mod command with the --password-expiration option. For example, to set the expiration date to 2016-02-03 20:37:34 in the UTC time zone, run: 
    # ipa user-mod user_name --password-expiration='2016-02-03 20:37:34Z'
    Note that the command uses a generalized time format and setting the expiration date to 20160203203734Z is also possible.

Changing the expiration date of a user password by using the ldapmodify utility

To enforce an immediate change of the expiration date, reset the krbPasswordExpiration attribute value in LDAP.
To change the expiration date for a single user:
  1. Set the new value for the krbPasswordExpiration attribute for the user entry by using the following command: 
     # ldapmodify -D "cn=Directory Manager" -w secret -h server.example.com -p 389 -vv

dn: uid=user_name,cn=users,cn=accounts,dc=example,dc=com
changetype: modify
replace: krbPasswordExpiration
krbPasswordExpiration: 20160203203734Z
    The krbPasswordExpiration format follows generalized time format YYYMMDDHHMMSS.0Z.
  2. Press Ctrl+D to confirm and send the changes to the server.
To edit multiple entries at once, use ldapmodify with the -f option to reference an LDIF file.