Description of problem:
None of the options available under the security_compliance group in keystone.conf are configurable through director. Namely:
Operators are expecting these options to be configurable.
[stack@undercloud-0 usr]$ yum list installed | grep puppet-keystone
sudo vi ./share/openstack-tripleo-heat-templates/puppet/services/keystone.yaml
Enabling this option requires users to change their password when the
user is created, or upon administrative reset.
- allowed_values: [ '', 'true', 'True', 'TRUE', 'false', 'False', 'FALSE']
The maximum number of days a user can go without authenticating before
being considered "inactive" and automatically disabled (locked).
The number of seconds a user account will be locked when the maximum
number of failed authentication attempts (as specified by
KeystoneLockoutFailureAttempts) is exceeded.
The maximum number of times that a user can fail to authenticate before
the user account is locked for the number of seconds specified by
The number of days that a password must be used before the user can
change it. This prevents users from changing their passwords immediately
in order to wipe out their password history and reuse an old password.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.