Description of problem: Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Version set to 1.1 by mistake. Resetting to 2.0
need info on how to do this. emailed the list for help.
Rob please provide additional info.
The ipa-pwpolicy plugin handles both global and per-group password policy. To show the global policy: ipa pwpolicy-show To add a new policy for a specfic group: ipa pwpolicy-add --minlife=10 --priority=10 --group=example The priority determines which policy wins. The lower the number the higher priority. This is important if a user is in several groups, each with a password policy set. The group needs to already exist but does not need to have any members. To show the password policy for a specific group: ipa pwpolicy-show --group=example To see the policy set for a given user: ipa pwpolicy-show --user=tuser1 A password policy is not cumulative. In other words, you cannot override just one setting in a policy and let it fall back to the global policy on the others, it is all or nothing. In the following example I create a user and two groups. I create a separate password policy for each group with a different priority and add the user to each group. Then I show the policy for the user to demonstrate how priority works. $ ipa user-add --first=Tim --last=User tuser1 --------- user-add: --------- User login: tuser1 First name: Tim Last name: User Home directory: /home/tuser1 GECOS field: tuser1 Login shell: /bin/sh Kerberos principal: tuser1 ------------------- Added user "tuser1" ------------------- $ ipa group-add --desc=g1 g1 ---------- group-add: ---------- Group name: g1 Description: g1 ---------------- Added group "g1" ---------------- $ ipa group-add --desc=g2 g2 ---------- group-add: ---------- Group name: g2 Description: g2 ---------------- Added group "g2" ---------------- $ ipa pwpolicy-add --minlife=10 --priority=10 --group=g1 <krbminpwdlife>: 10 $ ipa group-add-member --users=tuser1 g1 $ ipa pwpolicy-show --user=tuser1 cn: g1 group: g1 krbminpwdlife: 10 objectclass: top, nscontainer, krbpwdpolicy $ ipa pwpolicy-add --minlife=20 --priority=20 --group=g2 <krbminpwdlife>: 20 $ ipa group-add-member --users=tuser1 g2 $ ipa pwpolicy-show --user=tuser1 cn: g1 group: g1 krbminpwdlife: 10 objectclass: top, nscontainer, krbpwdpolicy Remove the user from g1 to show that they still have a custom policy. $ ipa group-remove-member --users=tuser1 g1 $ ipa pwpolicy-show --user=tuser1 cn: g2 group: g2 krbminpwdlife: 20 objectclass: top, nscontainer, krbpwdpolicy
To help make the documentation more useful, can I have a use case for this?
The use case is you may have users whose passwords you never want to expire , or a set of users (say contractors) whose passwords will always expire after 30 days. We are providing overlapping group policy, using the priority setting to sort out which policy gets applied. I don't make it explicity in comment #4 but the last command shows the policy for a specific user.
$ ipa pwpolicy-add --minlife=10 --priority=10 --group=g1 <krbminpwdlife>: 10 I don't understand the following: <krbminpwdlife>: 10 I gather it's the min Kerberos pwd lifetime, but how do you use it? It's not discussed in the help/man page, and entering it as-is gives (me) an error: "bash: krbminpwdlife: No such file or directory" thanks
<krbminpwdlife>: 10 is the result of the command, not part of it. We recently changed the way attributes are displayed and not every attribute has a helpful, localizable label yet. This happens to be one of them.
This part will be fixed with Jason's patches but I am not sure all of them made Alpha 2.
*** This bug has been marked as a duplicate of bug 646213 ***