Change password expiration warning period for IdM users

Solution Verified - Updated -

Issue

  • IdM user has a password expiry date set:

    # ipa user-show bob --all
User login: bob
<...>
User password expiration: 20240725000000Z      <<<<<=====

  • When logging in to the host via SSH, an expiration warning is displayed:

    $ ssh bob@ipaclient.example.com
(bob@ipaclient.example.com) Password:
Your password will expire in 5 days.           <<<<<=====
Register this system with Red Hat Insights: insights-client --register
Create an account or view all your systems at https://red.ht/insights-dashboard
Last login: Fri Jul 19 02:57:59 2024 from 192.168.1.2
[bob@ipaclient ~]$

  • The same expiration warning is displayed when switching credential via su:

    $ su - bob
Password: 
Your password will expire in 5 days.           <<<<<=====
Last login: Fri Jul 19 17:53:02 AEST 2024 on pts/0
[bob@ipaclient ~]$

  • The default notification period is 7 days.

  • 14 days notification period is required. Updating PASS_WARN_AGE in /etc/login.defs does not change the behaviour.

    PASS_WARN_AGE 14

  • How to change the notification period to 14 days?

Environment

  • Red Hat Enterprise Linux 8
  • Red Hat Enterprise Linux 9
  • Red Hat Enterprise Linux 10
  • Red Hat Identity Management (IdM) / FreeIPA
  • System Security Services Daemon (SSSD)

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content