[Freeipa-users] Re: [EXTERNAL] Re: Password Policy Question

Is it worth a Feature Request ? Either here or at Red Hat ?

______________________________________________________________________________________________ Daniel E. White daniel.e.white(a)nasa.gov NICS Linux Engineer NASA Goddard Space Flight Center 8800 Greenbelt Road Building 14, Room E175 Greenbelt, MD 20771 Office: (301) 286-6919 Mobile: (240) 513-5290 From: Rob Crittenden <rcritten(a)redhat.com&gt; Date: Monday, July 6, 2020 at 16:12 To: FreeIPA <freeipa-users(a)lists.fedorahosted.org&gt; Cc: Daniel White <daniel.e.white(a)nasa.gov&gt; Subject: [EXTERNAL] Re: [Freeipa-users] Password Policy Question White, Daniel E. (GSFC-770.0)[NICS] via FreeIPA-users wrote: Are there settings in FreeIPA similar to the setting available from the chage command ? I am specifically looking for a setting for the time after a password expires to allow the user to update it. I am looking for the same "grace period" that the non-IPA shell password has. From the change man page: -M, --maxdays MAX_DAYS Set the maximum number of days during which a password is valid. When MAX_DAYS plus LAST_DAY is less than the current day, the user will be required to change his/her password before being able to use his/her account. -I, --inactive INACTIVE Set the number of days of inactivity after a password has expired before the account is locked. The INACTIVE option is the number of days of inactivity. A user whose account is locked must contact the system administrator before being able to use the system again. I find nothing like this in the documentation. I do know, however, that when a user is initially created, the password expire time is set to the current clock time. When the user logs in for the first time, they are prompted to change their password. I am looking for a parameter -- like chage's INACTIVE -- that defines a grace period from the time the password expires until the account is locked and requires admin intervention. Or does that only happen for the account creation ? There is nothing automated to do this. Theoretically you could use krbprincipalexpiration to enforce this but there is nothing that will add some offset to it when a password is changed. I think it would be fairly straightforward to add but it would require a new policy attribute, new CLI/UI to manage that attribute, etc. The actual setting of the attribute is probably like 5 lines of code. rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...