Hi Florence, alas, same issue ipa: error: no such option: --password-expiration Ok, the functionality was added in 4.6.0 (see Release notes

----- Mail original ----- De: "Florence Blanc-Renaud" <flo(a)redhat.com&gt; À: phiroc(a)free.fr Cc: freeipa-users(a)lists.fedorahosted.org Envoyé: Mardi 7 Février 2023 17:12:32 Objet: Re: [Freeipa-users] password-expiration Hi, On Tue, Feb 7, 2023 at 4:49 PM < phiroc(a)free.fr > wrote: Hi Florence, unfortunately, ipa user-mod user1 --krbpasswordexpiration='2024-06-28 07:49:37Z' Usage: ipa [global-options] user-mod LOGIN [options] ipa: error: no such option: --krbpasswordexpiration My bad, I copied the attribute name instead of the CLI option name. Can you try with ipa user-mod LOGIN --password-expiration =DATETIME Note: if you type ipa user-mod --help you can see all the available options. flo -- ipa --version VERSION: 4.5.4, API_VERSION: 2.228 ----- Mail original ----- De: "Florence Blanc-Renaud" < flo(a)redhat.com > À: "FreeIPA users list" < freeipa-users(a)lists.fedorahosted.org > Cc: phiroc(a)free.fr Envoyé: Mardi 7 Février 2023 16:40:11 Objet: Re: [Freeipa-users] password-expiration Hi, On Tue, Feb 7, 2023 at 4:11 PM None via FreeIPA-users < freeipa-users(a)lists.fedorahosted.org > wrote: Hello, in FreeIPA 4.5.4, how do you reset a user's password expiration date? IIRC the command "ipa user-mod LOGIN --krbpasswordexpiration=DATETIME was already available in that version. flo Many thanks. Best regards, Philippe _______________________________________________ FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

Hi Florence, I've tried the --setattr option with 'first', ipa user-mod user1 --setattr first=phil ... but to no avail ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'first' attribute of entry 'uid=...'. ----- Mail original ----- De: "Florence Blanc-Renaud via FreeIPA-users" <freeipa-users(a)lists.fedorahosted.org&gt; À: phiroc(a)free.fr Cc: freeipa-users(a)lists.fedorahosted.org, "Florence Blanc-Renaud" <flo(a)redhat.com&gt; Envoyé: Mardi 7 Février 2023 17:37:19 Objet: [Freeipa-users] Re: password-expiration Hi, On Tue, Feb 7, 2023 at 5:23 PM < phiroc(a)free.fr > wrote: Hi Florence, alas, same issue ipa: error: no such option: --password-expiration Ok, the functionality was added in 4.6.0 (see Release notes ) so you need to use directly ipa user-mod LOGIN --setattr krbpasswordexpiration =VALUE flo ----- Mail original ----- De: "Florence Blanc-Renaud" < flo(a)redhat.com > À: phiroc(a)free.fr Cc: freeipa-users(a)lists.fedorahosted.org Envoyé: Mardi 7 Février 2023 17:12:32 Objet: Re: [Freeipa-users] password-expiration Hi, On Tue, Feb 7, 2023 at 4:49 PM < phiroc(a)free.fr > wrote: Hi Florence, unfortunately, ipa user-mod user1 --krbpasswordexpiration='2024-06-28 07:49:37Z' Usage: ipa [global-options] user-mod LOGIN [options] ipa: error: no such option: --krbpasswordexpiration My bad, I copied the attribute name instead of the CLI option name. Can you try with ipa user-mod LOGIN --password-expiration =DATETIME Note: if you type ipa user-mod --help you can see all the available options. flo

Hi Rob, thanks for your feedback. Unfortunately, ipa user-mod user1 --setattr givenname=phili ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'givenName' attribute of entry 'uid=...'. >> In general we strongly encourage you to upgrade to a supported release I wish I could. I'll report it to my manager. ----- Mail original ----- De: "Rob Crittenden" <rcritten(a)redhat.com&gt; À: "FreeIPA users list" <freeipa-users(a)lists.fedorahosted.org&gt; Cc: phiroc(a)free.fr Envoyé: Mardi 7 Février 2023 17:51:20 Objet: Re: [Freeipa-users] Re: password-expiration When using --setattr you have to use the LDAP attribute name. So in this case givenname. 4.5.4 is getting along to 6 years old now. In general we strongly encourage you to upgrade to a supported release, one release at a time (there is no going from 4.5 to 4.10 directly). rob None via FreeIPA-users wrote: > > > Hi Florence, > > I've tried the --setattr option with 'first', > > > ipa user-mod user1 --setattr first=phil > > ... but to no avail > > ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'first' attribute of > entry 'uid=...'. > > > > ----- Mail original ----- > De: "Florence Blanc-Renaud via FreeIPA-users" <freeipa-users(a)lists.fedorahosted.org&gt; > À: phiroc(a)free.fr > Cc: freeipa-users(a)lists.fedorahosted.org, "Florence Blanc-Renaud" <flo(a)redhat.com&gt; > Envoyé: Mardi 7 Février 2023 17:37:19 > Objet: [Freeipa-users] Re: password-expiration > > > > > > Hi, > > > > On Tue, Feb 7, 2023 at 5:23 PM < phiroc(a)free.fr > wrote: > > > Hi Florence, > alas, same issue > > ipa: error: no such option: --password-expiration > > > > Ok, the functionality was added in 4.6.0 (see Release notes ) so you need to use directly ipa user-mod LOGIN --setattr krbpasswordexpiration =VALUE > flo > > > > > > > ----- Mail original ----- > De: "Florence Blanc-Renaud" < flo(a)redhat.com > > À: phiroc(a)free.fr > Cc: freeipa-users(a)lists.fedorahosted.org > Envoyé: Mardi 7 Février 2023 17:12:32 > Objet: Re: [Freeipa-users] password-expiration > > > > > Hi, > > > > On Tue, Feb 7, 2023 at 4:49 PM < phiroc(a)free.fr > wrote: > > > Hi Florence, > unfortunately, > > ipa user-mod user1 --krbpasswordexpiration='2024-06-28 07:49:37Z' > Usage: ipa [global-options] user-mod LOGIN [options] > > ipa: error: no such option: --krbpasswordexpiration > > > My bad, I copied the attribute name instead of the CLI option name. Can you try with > ipa user-mod LOGIN --password-expiration =DATETIME > > > Note: if you type ipa user-mod --help you can see all the available options. > flo > >

Hi Rob, I’m not at work anymore. How do you find out which credentials you need to modify users in ipa? Do you need to be root? When using the FreeIPA GUI, I’ve no problem creating and modifying users, adding them to groups, etc. However, in the GUI, the password-expiration field is readonly, which is why I have attempted modifying its value on the CLI. > Le 7 févr. 2023 à 18:53, Rob Crittenden <rcritten(a)redhat.com&gt; a écrit : > > What user principal are you using? Do you have permissions to modify > this other user's information? The error message says you don't. > > rob > > phiroc(a)free.fr wrote: >> >> Hi Rob, >> >> thanks for your feedback. >> >> Unfortunately, >> >> ipa user-mod user1 --setattr givenname=phili >> ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'givenName' attribute of entry 'uid=...'. >> >> >>>> In general we strongly encourage you to upgrade to a supported release >> >> I wish I could. I'll report it to my manager. >> >> >> >> >> ----- Mail original ----- >> De: "Rob Crittenden" <rcritten(a)redhat.com&gt; >> À: "FreeIPA users list" <freeipa-users(a)lists.fedorahosted.org&gt; >> Cc: phiroc(a)free.fr >> Envoyé: Mardi 7 Février 2023 17:51:20 >> Objet: Re: [Freeipa-users] Re: password-expiration >> >> When using --setattr you have to use the LDAP attribute name. So in this >> case givenname. >> >> 4.5.4 is getting along to 6 years old now. In general we strongly >> encourage you to upgrade to a supported release, one release at a time >> (there is no going from 4.5 to 4.10 directly). >> >> rob >> >> None via FreeIPA-users wrote: >>> >>> >>> Hi Florence, >>> >>> I've tried the --setattr option with 'first', >>> >>> >>> ipa user-mod user1 --setattr first=phil >>> >>> ... but to no avail >>> >>> ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'first' attribute of >>> entry 'uid=...'. >>> >>> >>> >>> ----- Mail original ----- >>> De: "Florence Blanc-Renaud via FreeIPA-users" <freeipa-users(a)lists.fedorahosted.org&gt; >>> À: phiroc(a)free.fr >>> Cc: freeipa-users(a)lists.fedorahosted.org, "Florence Blanc-Renaud" <flo(a)redhat.com&gt; >>> Envoyé: Mardi 7 Février 2023 17:37:19 >>> Objet: [Freeipa-users] Re: password-expiration >>> >>> >>> >>> >>> >>> Hi, >>> >>> >>> >>> On Tue, Feb 7, 2023 at 5:23 PM < phiroc(a)free.fr > wrote: >>> >>> >>> Hi Florence, >>> alas, same issue >>> >>> ipa: error: no such option: --password-expiration >>> >>> >>> >>> Ok, the functionality was added in 4.6.0 (see Release notes ) so you need to use directly ipa user-mod LOGIN --setattr krbpasswordexpiration =VALUE >>> flo >>> >>> >>> >>> >>> >>> >>> ----- Mail original ----- >>> De: "Florence Blanc-Renaud" < flo(a)redhat.com > >>> À: phiroc(a)free.fr >>> Cc: freeipa-users(a)lists.fedorahosted.org >>> Envoyé: Mardi 7 Février 2023 17:12:32 >>> Objet: Re: [Freeipa-users] password-expiration >>> >>> >>> >>> >>> Hi, >>> >>> >>> >>> On Tue, Feb 7, 2023 at 4:49 PM < phiroc(a)free.fr > wrote: >>> >>> >>> Hi Florence, >>> unfortunately, >>> >>> ipa user-mod user1 --krbpasswordexpiration='2024-06-28 07:49:37Z' >>> Usage: ipa [global-options] user-mod LOGIN [options] >>> >>> ipa: error: no such option: --krbpasswordexpiration >>> >>> >>> My bad, I copied the attribute name instead of the CLI option name. Can you try with >>> ipa user-mod LOGIN --password-expiration =DATETIME >>> >>> >>> Note: if you type ipa user-mod --help you can see all the available options. >>> flo >>> >>> >> >

I’m in a similar situation and need to upgrade. These docs are what I found https://www.freeipa.org/page/Upgrade#FreeIPA_4.2.0_or_newer and it seems to imply to simply run a yum update freeipa-server to go to the latest version. Is there some other documentation I should be following?

-Kevin > On Feb 7, 2023, at 10:51 AM, Rob Crittenden via FreeIPA-users > <freeipa-users(a)lists.fedorahosted.org&gt; wrote: > > When using --setattr you have to use the LDAP attribute name. So in this > case givenname. > > 4.5.4 is getting along to 6 years old now. In general we strongly > encourage you to upgrade to a supported release, one release at a time > (there is no going from 4.5 to 4.10 directly). > > rob > > None via FreeIPA-users wrote: >> >> >> Hi Florence, >> >> I've tried the --setattr option with 'first', >> >> >> ipa user-mod user1 --setattr first=phil >> >> ... but to no avail >> >> ipa: ERROR: Insufficient access: Insufficient 'write' privilege to >> the 'first' attribute of >> entry 'uid=...'. >> >> >> >> ----- Mail original ----- >> De: "Florence Blanc-Renaud via FreeIPA-users" >> <freeipa-users(a)lists.fedorahosted.org&gt; >> À: phiroc(a)free.fr >> Cc: freeipa-users(a)lists.fedorahosted.org, "Florence Blanc-Renaud" >> <flo(a)redhat.com&gt; >> Envoyé: Mardi 7 Février 2023 17:37:19 >> Objet: [Freeipa-users] Re: password-expiration >> >> >> >> >> >> Hi, >> >> >> >> On Tue, Feb 7, 2023 at 5:23 PM < phiroc(a)free.fr > wrote: >> >> >> Hi Florence, >> alas, same issue >> >> ipa: error: no such option: --password-expiration >> >> >> >> Ok, the functionality was added in 4.6.0 (see Release notes ) so you >> need to use directly ipa user-mod LOGIN --setattr >> krbpasswordexpiration =VALUE >> flo >> >> >> >> >> >> >> ----- Mail original ----- >> De: "Florence Blanc-Renaud" < flo(a)redhat.com > >> À: phiroc(a)free.fr >> Cc: freeipa-users(a)lists.fedorahosted.org >> Envoyé: Mardi 7 Février 2023 17:12:32 >> Objet: Re: [Freeipa-users] password-expiration >> >> >> >> >> Hi, >> >> >> >> On Tue, Feb 7, 2023 at 4:49 PM < phiroc(a)free.fr > wrote: >> >> >> Hi Florence, >> unfortunately, >> >> ipa user-mod user1 --krbpasswordexpiration='2024-06-28 07:49:37Z' >> Usage: ipa [global-options] user-mod LOGIN [options] >> >> ipa: error: no such option: --krbpasswordexpiration >> >> >> My bad, I copied the attribute name instead of the CLI option name. >> Can you try with >> ipa user-mod LOGIN --password-expiration =DATETIME >> >> >> Note: if you type ipa user-mod --help you can see all the available >> options. >> flo >> >> > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue