On Mon, Jul 6, 2020 at 10:23 PM White, Daniel E. (GSFC-770.0)[NICS]
via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org> wrote:
Is it worth a Feature Request ? Either here or at Red Hat ?
Ideally through Red Hat Support yes.
______________________________________________________________________________________________
Daniel E. White
daniel.e.white(a)nasa.gov
NICS Linux Engineer
NASA Goddard Space Flight Center
8800 Greenbelt Road
Building 14, Room E175
Greenbelt, MD 20771
Office: (301) 286-6919
Mobile: (240) 513-5290
From: Rob Crittenden <rcritten(a)redhat.com>
Date: Monday, July 6, 2020 at 16:12
To: FreeIPA <freeipa-users(a)lists.fedorahosted.org>
Cc: Daniel White <daniel.e.white(a)nasa.gov>
Subject: [EXTERNAL] Re: [Freeipa-users] Password Policy Question
White, Daniel E. (GSFC-770.0)[NICS] via FreeIPA-users wrote:
Are there settings in FreeIPA similar to the setting available from the
chage command ? I am specifically looking for a setting for the time
after a password expires to allow the user to update it.
I am looking for the same "grace period" that the non-IPA shell password
has. From the change man page:
-M, --maxdays MAX_DAYS
Set the maximum number of days during which a password is valid. When
MAX_DAYS plus LAST_DAY is less than the current day, the user will be
required to change his/her password before being able to use his/her
account.
-I, --inactive INACTIVE
Set the number of days of inactivity after a password has expired before
the account is locked. The INACTIVE option is the number of days of
inactivity. A user whose account is locked must contact the system
administrator before being able to use the system again.
I find nothing like this in the documentation.
I do know, however, that when a user is initially created, the password
expire time is set to the current clock time.
When the user logs in for the first time, they are prompted to change
their password.
I am looking for a parameter -- like chage's INACTIVE -- that defines a
grace period from the time the password expires until the account is
locked and requires admin intervention.
Or does that only happen for the account creation ?
There is nothing automated to do this. Theoretically you could use
krbprincipalexpiration to enforce this but there is nothing that will
add some offset to it when a password is changed.
I think it would be fairly straightforward to add but it would require a
new policy attribute, new CLI/UI to manage that attribute, etc.
The actual setting of the attribute is probably like 5 lines of code.
rob
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...