Issue

Ticket https://pagure.io/freeipa/issue/3817 was resolved in 2013 in commit https://pagure.io/freeipa/c/f954f2d1b92db10113b766759897d66c57e1e3ab by setting a cap on maxlife in the password policy so it doesn't overflow.

Ten years later and a user has reported that using 20k resulted in authentication failures due to expired passwords. Seems like it is time to revisit.

Steps to Reproduce

1. Install IPA
2. Create some users passwords
3. Authenticate to verify they are fine.
4. Set global pwpolicy maxlife to 20000
5. Authenticate again

This was reported against ipa-4.10.1-8.el9_2

Actual behavior

(what happens)

Expected behavior

(what do you expect to happen)

Version/Release/Distribution

$ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server

Additional info:

Any additional information, configuration, data or log snippets that is needed for reproduction or investigation of the issue.

Log file locations: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/config-files-logs.html
Troubleshooting guide: https://www.freeipa.org/page/Troubleshooting