Product SiteDocumentation Site

11.4. Managing Password Expirations

Password policies are applied at the time a password is changed. So, when a password is set, it conforms to the password policy in effect at that time. If the password policy is changed later, that change is not applied, retroactively, to the password.
Setting password expiration periods is configured as part of the group password policy. Creating and editing password policies (including the expiration attribute in the policy) is covered in Section 11.3, “Creating and Editing Password Policies”.
With password expirations, there are two attibutes that are related:
Changing the password expiration time in the password policy does not affect the expiration date for a user, until the user password is changed. If the password expiration date needs to be changed immediately, it can be changed by editing the user entry.
To force the expiration date to change, reset the krbPasswordExpiration attribute value for the user. This can be done using the FreeIPA CLI with the --setattr option:
[bjensen@ipaserver ~]$ kinit
[bjensen@ipaserver ~]$ ipa user-mod jsmith --setattr=krbPasswordExpiration=20121231011529Z
If the new expiration date should be applied to multiple entries, it may be simpler to use ldapmodify and edit multiple entries simultaneously through an LDIF file in the -f option. For example, editing a single entry (with a modify statement similar to the LDIF file in -f):
[bjensen@ipaserver ~]$ ldapmodify -Y GSSAPI -h -p 389 -vv

dn: uid=jsmith,cn=users,cn=accounts,dc=example,dc=com
changetype: modify
replace: krbpasswordexpiration
krbpasswordexpiration: 20140202203734Z


If an administrator resets a password, it expires the previous password and forces the user to update the password. When the user updates the password, it automatically uses the new password policies, including a new expiration date.