-
Notifications
You must be signed in to change notification settings - Fork 3
note on password changes
Charles Hedrick edited this page Jun 26, 2018
·
5 revisions
When passwords are changed by someone other than the user, the new passwords expire immediately.
For users that do changes for the user, typically a web app, they can be exempted, e.g.
ldapmodify -Y GSSAPI < foo
where foo comtains
dn: cn=ipa_pwd_extop,cn=plugins,cn=config changetype: modify add:passSyncManagersDNs passSyncManagersDNs: uid=hedrick.admin,cn=users,cn=accounts,dc=cs,dc=rutgers,dc=edu passsyncmanagersdns: krbprincipalname=http/[email protected]. EDU,cn=services,cn=accounts,dc=cs,dc=rutgers,dc=edu
WARNING: This change does not replicate. It must be done on every server.
To allow staff to set password that don't expire, in GUI
- add permission Rutgers set expiration, write, type user, check "krbpasswordexpiration"
- add privilege Rutgers set expiration and add permission Rutgers set expiration to it, and add role administrator to it
- go to role Administrator and add group admins to it
ipa user-mod clh --setattr=krbpasswordexpiration=20380101000000Z
You can actually set dates beyond 2038, but I'm not sure whether all the code understands it.