Yuri Krysko via FreeIPA-users wrote:
Hello All,
I have a user in our FreeIPA domain, whose password according to the
applied policy (displayed in the user properties UI ) should have
expired ~ 2 months ago, but it never did, nor did it force the user to
reset it. The below LDAP user attributes show old data and all in
accordance with the password policy. The user is still able to
authenticate to the applications using LDAP connection against the
FreeIPA servers. The krblastsuccessfulauth gets updated every time the
user logs in. I assume if I force-reset the user’s password, it will go
back to normal. However, I’d like to understand how to explain such a
bizarre behavior and avoid it in the future.
User password expiration: 20190305034410Z
krblastpwdchange: 20190104034410Z
krblastsuccessfulauth: 20190501213547Z
See
https://pagure.io/freeipa/issue/1539
rob