Re: [Freeipa-users] How to unset a user's kerberos principal expiration date?
On 30/06/16 14:14, Rob Crittenden wrote: David Kupka wrote: On 29/06/16 19:05, Roderick Johnstone wrote: Hi If I set a kerberos principal for a user to expire on a given date using: ipa user-mod --principal-expiration=DATE is it possible to later remove this expiration date rather than just set it to a time far in the future? Thanks Roderick Johnstone Hello Roderick, AFAIK the only way to remove principal expiration at the time is remove krbPrincipalExpiration attribute from the user entry in DS. $ kinit admin Password for ad...@example.org $ ldapmodify -Y GSSAPI SASL/GSSAPI authentication started SASL username: ad...@example.org SASL SSF: 56 SASL data security layer installed. dn:uid=tuser,cn=users,cn=accounts,dc=example,dc=org changetype: modify delete: krbprincipalexpiration modifying entry "uid=tuser,cn=users,cn=accounts,dc=example,dc=org" I think that it makes sense to expose this in API. Could you please file RFE (https://fedorahosted.org/freeipa/newticket)? You just need to pass in a blank value: $ ipa user-mod --principal-expiration= rob Thanks both. I can indeed confirm that setting --principal-expiration= does in fact remove the kerberos expiration date. Roderick -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] How to unset a user's kerberos principal expiration date?
David Kupka wrote: On 29/06/16 19:05, Roderick Johnstone wrote: Hi If I set a kerberos principal for a user to expire on a given date using: ipa user-mod --principal-expiration=DATE is it possible to later remove this expiration date rather than just set it to a time far in the future? Thanks Roderick Johnstone Hello Roderick, AFAIK the only way to remove principal expiration at the time is remove krbPrincipalExpiration attribute from the user entry in DS. $ kinit admin Password for ad...@example.org $ ldapmodify -Y GSSAPI SASL/GSSAPI authentication started SASL username: ad...@example.org SASL SSF: 56 SASL data security layer installed. dn:uid=tuser,cn=users,cn=accounts,dc=example,dc=org changetype: modify delete: krbprincipalexpiration modifying entry "uid=tuser,cn=users,cn=accounts,dc=example,dc=org" I think that it makes sense to expose this in API. Could you please file RFE (https://fedorahosted.org/freeipa/newticket)? You just need to pass in a blank value: $ ipa user-mod --principal-expiration= rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] How to unset a user's kerberos principal expiration date?
On 29/06/16 19:05, Roderick Johnstone wrote: Hi If I set a kerberos principal for a user to expire on a given date using: ipa user-mod --principal-expiration=DATE is it possible to later remove this expiration date rather than just set it to a time far in the future? Thanks Roderick Johnstone Hello Roderick, AFAIK the only way to remove principal expiration at the time is remove krbPrincipalExpiration attribute from the user entry in DS. $ kinit admin Password for ad...@example.org $ ldapmodify -Y GSSAPI SASL/GSSAPI authentication started SASL username: ad...@example.org SASL SSF: 56 SASL data security layer installed. dn:uid=tuser,cn=users,cn=accounts,dc=example,dc=org changetype: modify delete: krbprincipalexpiration modifying entry "uid=tuser,cn=users,cn=accounts,dc=example,dc=org" I think that it makes sense to expose this in API. Could you please file RFE (https://fedorahosted.org/freeipa/newticket)? -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] How to unset a user's kerberos principal expiration date?
Hi If I set a kerberos principal for a user to expire on a given date using: ipa user-mod --principal-expiration=DATE is it possible to later remove this expiration date rather than just set it to a time far in the future? Thanks Roderick Johnstone -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project