Are there settings in FreeIPA similar to the setting available from the chage command ?  I am specifically looking for a setting for the time after a password expires to allow the user to update it.

 

I am looking for the same "grace period" that the non-IPA shell password has. From the change man page:

-M, --maxdays MAX_DAYS
Set the maximum number of days during which a password is valid. When MAX_DAYS plus LAST_DAY is less than the current day, the user will be required to change his/her password before being able to use his/her account.
-I, --inactive INACTIVE
Set the number of days of inactivity after a password has expired before the account is locked. The INACTIVE option is the number of days of inactivity. A user whose account is locked must contact the system administrator before being able to use the system again.

 

I find nothing like this in the documentation.

I do know, however, that when a user is initially created, the password expire time is set to the current clock time.
When the user logs in for the first time, they are prompted to change their password.
I am looking for a parameter -- like chage's INACTIVE -- that defines a grace period from the time the password expires until the account is locked and requires admin intervention.

Or does that only happen for the account creation ?

______________________________________________________________________________________________

 

Daniel E. White
daniel.e.white@nasa.gov

NICS Linux Engineer
NASA Goddard Space Flight Center
8800 Greenbelt Road
Building 14, Room E175
Greenbelt, MD 20771

Office: (301) 286-6919

Mobile: (240) 513-5290