Change FreeIPA user maximum password expiry lifetime > 90 days

By Posted on 281 views

In FreeIPA IdM, a user password is set to expire after 90 days as default setting. In this guide we shall cover the process used to modify or change FreeIPA user password lifetime to period longer than 90 days. FreeIPA is an integrated security information management solution that combines Linux, 389 Directory Server, MIT Kerberos, NTP, DNS, Dogtag certificate management system.

To check default maximum lifetime of all passwords, run the following command.

$ ipa pwpolicy-find
  Group: global_policy
  Max lifetime (days): 90
  Min lifetime (hours): 1
  History size: 0
  Character classes: 0
  Min length: 8
  Max failures: 6
  Failure reset interval: 60
  Lockout duration: 600
----------------------------
Number of entries returned 1
----------------------------

You can also query maximum password lifetime from LDAP. But note the time is presented in seconds as opposed to days.

$ ldapsearch -x -LLL -D "cn=Directory Manager" "cn=global_policy"  -W
Enter LDAP Password:
dn: cn=global_policy,cn=EXAMPLE.COM,cn=kerberos,dc=EXAMPLE,dc=COM
objectClass: top
objectClass: nsContainer
objectClass: krbPwdPolicy
objectClass: ipapwdpolicy
krbMinPwdLife: 3600
krbPwdMinDiffChars: 0
krbPwdMinLength: 8
krbPwdHistoryLength: 0
krbMaxPwdLife: 7776000
krbPwdMaxFailure: 6
krbPwdFailureCountInterval: 60
krbPwdLockoutDuration: 600
cn: global_policy

We can see the password lifetime is set to 7776000 ==90 days

There are two ways that can be used to adjust user’s password expiry maximum lifetime.

Modify password expiry lifetime for a specific user

You can modify user’s password expiration without touching the default policy. This is done with a command below:

$ ipa user-mod jmutai --password-expiration='2032-10-25 19:18:30Z'
-----------------------
Modified user "jmutai"
-----------------------
  User login: jmutai
  First name: Josphat
  Last name: Mutai
  Home directory: /home/jmutai
  Login shell: /bin/bash
  Principal name: [email protected]
  Principal alias: [email protected]
  User password expiration: 20321025191830Z
  Email address: [email protected]
  UID: 959600003
  GID: 959600003
  SSH public key fingerprint: SHA256:b/8AoYgbThoBYPcFh7CetJuGY/Tl7s4fiJwUWUcIEcE (ssh-rsa)
  Account disabled: False
  Password: True
  Member of groups: admins, sysadmins, ipausers
  Kerberos keys available: True

In the command we’ve set password expiry for user jmutai to 25th October 2032, at 19:18:30 hours.

Below is a similar modification for admin user.

$ ipa user-mod admin --password-expiration='2032-10-25 19:18:30Z'
---------------------
Modified user "admin"
---------------------
  User login: admin
  Last name: Administrator
  Home directory: /home/admin
  Login shell: /bin/bash
  Principal alias: [email protected], [email protected]
  User password expiration: 20321025191830Z
  UID: 959600000
  GID: 959600000
  Account disabled: False
  Password: True
  Member of groups: trust admins, admins
  Kerberos keys available: True

Changing global group password policy

You can also modify password expiration for all users in FreeIPA using ipa pwpolicy-mod command. The option to be used is:

--maxlife=INT

Whee INT is the Maximum password lifetime (in days).

Let’s say we want to set maximum password lifetime to 365 days. The command to apply is:

$  ipa pwpolicy-mod --maxlife=365
  Group: global_policy
  Max lifetime (days): 365
  Min lifetime (hours): 1
  History size: 0
  Character classes: 0
  Min length: 8
  Max failures: 6
  Failure reset interval: 60
  Lockout duration: 600

Let’s confirm if the change was effected:

$ ipa pwpolicy-find
  Group: global_policy
  Max lifetime (days): 365
  Min lifetime (hours): 1
  History size: 0
  Character classes: 0
  Min length: 8
  Max failures: 6
  Failure reset interval: 60
  Lockout duration: 600
----------------------------
Number of entries returned 1
----------------------------

We can create a sample user and test check if the policy applies to new accounts.

$ ipa user-add techviewleo --first=Techview --last=Leo --password
Password:
Enter Password again to verify:
------------------------
Added user "techviewleo"
------------------------
  User login: techviewleo
  First name: Techview
  Last name: Leo
  Full name: Techview Leo
  Display name: Techview Leo
  Initials: TL
  Home directory: /home/techviewleo
  GECOS: Techview Leo
  Login shell: /bin/bash
  Principal name: [email protected]
  Principal alias: [email protected]
  User password expiration: 20220820072054Z
  Email address: [email protected]
  UID: 959600005
  GID: 959600005
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

You can check user password policy using ipa command line tool:

$ ipa pwpolicy-show --user=techviewleo
  Group: global_policy
  Max lifetime (days): 365
  Min lifetime (hours): 1
  History size: 0
  Character classes: 0
  Min length: 8
  Max failures: 6
  Failure reset interval: 60
  Lockout duration: 600

Login as user created to FreeIPA server and change password which is required on first login.

freeipa-password-policy-01-1024x424

Once the password has been modified, check password expiry lifetime on the web interface.

freeipa-password-policy-02-1024x353

Gravatar Image
Ben Bennett - https://www.thetodaypost.net
A systems engineer with excellent skills in systems administration, cloud computing, systems deployment, virtualization, containers, and a certified ethical hacker.