On Mon, Jul 6, 2020 at 10:12 PM Rob Crittenden via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote: > > White, Daniel E. (GSFC-770.0)[NICS] via FreeIPA-users wrote: > > Are there settings in FreeIPA similar to the setting available from the > > chage command ? I am specifically looking for a setting for the time > > after a password expires to allow the user to update it. > > > > > > > > I am looking for the same "grace period" that the non-IPA shell password > > has. From the change man page: > > > > -M, --maxdays MAX_DAYS > > Set the maximum number of days during which a password is valid. When > > MAX_DAYS plus LAST_DAY is less than the current day, the user will be > > required to change his/her password before being able to use his/her > > account. > > -I, --inactive INACTIVE > > Set the number of days of inactivity after a password has expired before > > the account is locked. The INACTIVE option is the number of days of > > inactivity. A user whose account is locked must contact the system > > administrator before being able to use the system again. > > > > > > > > I find nothing like this in the documentation. > > > > I do know, however, that when a user is initially created, the password > > expire time is set to the current clock time. > > When the user logs in for the first time, they are prompted to change > > their password. > > I am looking for a parameter -- like chage's INACTIVE -- that defines a > > grace period from the time the password expires until the account is > > locked and requires admin intervention. > > > > Or does that only happen for the account creation ? > > There is nothing automated to do this. Theoretically you could use > krbprincipalexpiration to enforce this but there is nothing that will > add some offset to it when a password is changed. > > I think it would be fairly straightforward to add but it would require a > new policy attribute, new CLI/UI to manage that attribute, etc.
Or ipa-epn ( https://pagure.io/freeipa/issue/3687 ) could be enhanced to do that. It is able to warn users their passwords will expire in the near future ; locking accounts might require running on a replica but adding that feature should be straightforward. > The actual setting of the attribute is probably like 5 lines of code. Yes, the change is probably very small. > rob > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org