Future versions of IPA are slated to make this functionality configurable on a more granular level but in the meantime here is how I configured all (existing) users in the system to have a password expiry date some time in 2037:
- Obtain a Kerberos ticket for the administrative user.
- Generate an ldif file containing directives to change the krbpasswordexpiration value for each user.
- You can use the following script to do this by changing the elements in bold to match your environment.
USERS=`ldapsearch -Y GSSAPI -b "cn=users,cn=accounts,dc=example,dc=com" | grep -o 'uid=[a-z]*' | cut -f 2 -d '='`
touch ./krbpasswordexpiration_all.ldif
for USER in ${USERS}; do
cat >> ./krbpasswordexpiration_all.ldif <<DELIM
dn: uid=${USER},cn=users,cn=accounts,dc=toner-ipa,dc=usersys,dc=redhat,dc=com
changetype: modify
replace: krbpasswordexpiration
krbpasswordexpiration: 20371231011529Z
DELIM
done
- Use ldapmodify to log in as the directory manager and run the ldif file to apply the modifications. You will be prompted to enter your directory manager password to complete this step.
References:
- https://fedorahosted.org/freeipa/ticket/2795
- https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/pwd-expiration.html
No comments:
Post a Comment