Description of problem: None of the options available under the security_compliance group in keystone.conf are configurable through director. Namely: disable_user_account_days_inactive, lockout_failure_attempts, lockout_duration, password_expires_days, unique_last_password_count, minimum_password_age, password_regex, password_regex_description, change_password_upon_first_use Operators are expecting these options to be configurable.
Verified on [stack@undercloud-0 usr]$ yum list installed | grep puppet-keystone puppet-keystone.noarch 12.3.1-0.20180320041258.5eb9a3f.el7ost sudo vi ./share/openstack-tripleo-heat-templates/puppet/services/keystone.yaml .. ... .... KeystoneChangePasswordUponFirstUse: type: string default: '' description: >- Enabling this option requires users to change their password when the user is created, or upon administrative reset. constraints: - allowed_values: [ '', 'true', 'True', 'TRUE', 'false', 'False', 'FALSE'] KeystoneDisableUserAccountDaysInactive: type: string default: '' description: >- The maximum number of days a user can go without authenticating before being considered "inactive" and automatically disabled (locked). KeystoneLockoutDuration: type: string default: '' description: >- The number of seconds a user account will be locked when the maximum number of failed authentication attempts (as specified by KeystoneLockoutFailureAttempts) is exceeded. KeystoneLockoutFailureAttempts: type: string default: '' description: >- The maximum number of times that a user can fail to authenticate before the user account is locked for the number of seconds specified by KeystoneLockoutDuration. KeystoneMinimumPasswordAge: type: string default: '' description: >- The number of days that a password must be used before the user can change it. This prevents users from changing their passwords immediately in order to wipe out their password history and reuse an old password. .... ... ..
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2018:2086