RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1346938 - [RFE] Support limited User life time
Summary: [RFE] Support limited User life time
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.2
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Florence Blanc-Renaud
QA Contact: Kaleem
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-06-15 17:00 UTC by Luc de Louw
Modified: 2019-09-25 04:23 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-09-25 04:23:51 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Luc de Louw 2016-06-15 17:00:18 UTC 
Description of problem:

One can add a user in the Staging area and manually activate them on the due date. Such a user can also be put in the preserved users area.

However, it would be great to have time rage for the validity of a user. I.e.

[root@ipa1 ~]# ipa user-add --params --valid-from 2016-07-01 --valid-to 2016-08-01

Usercase: Temporary Employees, Consultants, Interns


Version-Release number of selected component (if applicable):
4.2
Comment 2 Petr Vobornik 2016-06-17 15:37:39 UTC 
What would be the expected behavior for the user or its LDAP entry if current time would be out of the defined range?

Is it expected only auth to fail?

Should the user be also disabled?

Moved to staged area?
Comment 4 Luc de Louw 2016-06-22 09:18:55 UTC 
The user should be either disabled or put into the staging area, maybe by a parameter.
Comment 6 Petr Vobornik 2016-06-22 17:01:58 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5993
Comment 7 Arpit Tolani 2016-07-06 12:36:06 UTC 
(In reply to Petr Vobornik from comment #2)
> What would be the expected behavior for the user or its LDAP entry if
> current time would be out of the defined range?
> 
> Is it expected only auth to fail?
> 
> Should the user be also disabled?
> 
> Moved to staged area?

My customer expects user to not able to authenticate but it will be wonderful if user is moved in staged area.
Comment 8 Abhinay Reddy Peddireddy 2016-10-16 05:41:02 UTC 
My customer is also expecting the same that it would be good if login fails and user becomes disabled.Moving to a staged area could also make sense.
Comment 13 Amy Farley 2019-08-16 13:35:40 UTC 
This is already possible, using the Kerberos Principle Expiration Field. Closing
Comment 15 Florence Blanc-Renaud 2019-09-09 08:31:53 UTC 
Using the command-line, one can change the user's principal expiration time:
$ kinit admin
$ ipa user-mod <user> --principal-expiration=DATETIME

Using the GUI, navigate to the users > Active Users tab, than click on a user. In the User page, under the Account Settings, one can modify the value for "Kerberos principal expiration".

With this setting, the user account will expire on the provided date, meaning the user won't be able to authenticate any more.
Note You need to log in before you can comment on or make changes to this bug.