On Wed, 2015-08-05 at 10:31 +0200, David Kupka wrote: > On 04/08/15 17:01, Robert Locke wrote: > > Hey folks, > > > > I have been using the following to adjust the Password Expiration of > > accounts in IdM/IPA: > > echo "$ADMIN_PASS" | kinit admin > > echo -e "dn: > > uid=rheluseri,cn=users,cn=accounts,dc=example,dc=com\nchangetype: modify > > \nreplace: krbPasswordExpiration\nkrbPasswordExpiration: 20300101000000Z > > \n" | ldapmodify -x -D 'cn=Directory Manager' -w $ADMIN_PASS > > > > This has worked nicely for me. > > > > My "new" problem is that the admin account itself expires after 90 days. > > I thought since ldapsearch does show the admin account, that simply > > substituting the uid might work. > > > > echo -e "dn: uid=admin,cn=users,cn=accounts,dc=example,dc=com > > \nchangetype: modify\nreplace: krbPasswordExpiration > > \nkrbPasswordExpiration: 20300101000000Z\n" | ldapmodify -x -D > > 'cn=Directory Manager' -w $ADMIN_PASS > > > > My attempts to adjust the admin account in this similar fashion have > > been not surprisingly unsuccessful. > > > > Suggestions/pointers? > > > > --Rob > > > > > > > Hello, > I just tried to set krbPasswordExpiration attribute for admin and it > worked as expected: > > $ ipa user-show admin --all > dn: uid=admin,cn=users,cn=accounts,dc=example,dc=com > User login: admin > ... > krbpasswordexpiration: 20200101000000Z > ... > > $ echo -e "dn: > uid=admin,cn=users,cn=accounts,dc=example,dc=com\nchangetype: > modify\nreplace: krbPasswordExpiration\nkrbPasswordExpiration: > 20300101000000Z\n" | ldapmodify -x -D 'cn=Directory Manager' -w $DM_PASS > modifying entry "uid=admin,cn=users,cn=accounts,dc=example,dc=com" > > $ ipa user-show admin --all > dn: uid=admin,cn=users,cn=accounts,dc=example,dc=com > User login: admin > ... > krbpasswordexpiration: 20300101000000Z > ... > > Could you provide more information about what is failing? Only thing > that comes to my mind is that you're using $ADMIN_PASS variable where > Directory Manager password is required but I know it's just name of the > variable. >
You're right. It was my mistake. My reality is that $ADMIN_PASS is used to set both the Directory Manager and admin passwords initially during ipa-server-install. When I was faced with having to change the admin password, I failed to realize that the Directory Manager password had remained the same, so all my "testing" was simply using the wrong new password of admin when I simply needed to use the old password of Directory Manager. Sorry for the noise. And thanks for checking it on me. --Rob -- Robert Locke Google Voice: (203) 794-6007 Senior Curriculum Developer rlo...@redhat.com GnuPG: A334 CAB1 451A 6083 CDD8 40FE A5DE E418 82E0 0780
signature.asc
Description: This is a digitally signed message part
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
