Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 6): Bug 1017730
Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.
Description of problem: Password change for ipa user using ldappasswd sets the password expiration to default 90 days. Version-Release number of selected component (if applicable): ipa-server-3.0.0-26.el6_4.4.x86_64 How reproducible: Always. Steps to Reproduce: # ipa pwpolicy-find Group: foogroup Max lifetime (days): 60 Min lifetime (hours): 0 Priority: 0 Group: global_policy Max lifetime (days): 1000 Min lifetime (hours): 0 History size: 0 Character classes: 0 Min length: 6 Max failures: 6 Failure reset interval: 30 Lockout duration: 300 foouser is a part of group foogroup # ipa user-show foouser --all <snip> krbpasswordexpiration: 20131207143016Z </snip> Pasword Expiration is set to 60 days as expected since it was changed by the user and the user foouser is a part of group foogroup. Then we change the password using ldappasswd : # ldappasswd -D "cn=Directory Manager" -s Secret123 ... uid=foouser,cn=users,cn=accounts,dc=example,dc=com -w Secret123 Actual results: # ipa user-show foouser --all <snip> krbpasswordexpiration: 20140106144141Z </snip> Actual Results: It sets back to 90 days. Expected results: It should set to the foogroup password policy that is 60 days Additional info:
I have a patch since I was investigating the original issue.
attachment freeipa-mkosek-429-administrative-password-change-does-not-respect-pass.patch
Patch freeipa-mkosek-429-administrative-password-change-does-not-respect-pass.patch sent for review
master: 5d8c02c[[BR]] ipa-3-3: 9bb9354
Metadata Update from @mkosek: - Issue assigned to mkosek - Issue set to the milestone: FreeIPA 3.3.x - 2013/10 (bug fixing)
Login to comment on this ticket.