Friday, January 11, 2013

Setting (Long) Expiry Date for IPA User Passwords

I use Identity, Policy, Audit (IPA) to provide authentication services to my oVirt and Red Hat Enterprise Virtualization environments. By default IPA not only forces passwords for all user accounts to expire at relatively frequent intervals but makes it difficult to turn this behaviour off.

Future versions of IPA are slated to make this functionality configurable on a more granular level but in the meantime here is how I configured all (existing) users in the system to have a password expiry date some time in 2037:
  • Obtain a Kerberos ticket for the administrative user.
$ kinit admin
  •  Generate an ldif file containing directives to change the krbpasswordexpiration value for each user.
  • You can use the following script to do this by changing the elements in bold to match your environment.
#!/bin/sh

USERS=`ldapsearch -Y GSSAPI -b "cn=users,cn=accounts,dc=example,dc=com" | grep -o 'uid=[a-z]*' | cut -f 2 -d '='`

touch ./krbpasswordexpiration_all.ldif

for USER in ${USERS}; do

    cat >> ./krbpasswordexpiration_all.ldif <<DELIM
dn: uid=${USER},cn=users,cn=accounts,dc=toner-ipa,dc=usersys,dc=redhat,dc=com
changetype: modify
replace: krbpasswordexpiration
krbpasswordexpiration: 20371231011529Z

DELIM

done

  • Use ldapmodify to log in as the directory manager and run the ldif file to apply the modifications. You will be prompted to enter your directory manager password to complete this step.
$ ldapmodify -x -D "cn=directory manager" -W -vv -f update_krbpasswordexpiration_all.ldif 

References: