Increase default session timeout in iRODS v4.3.3

[mikkonie]

After upgrading the image, the default login timeout seems to be VERY short. This should be altered. Not 100% sure if this should go here or sodar-docker-compose, will move if needed.

Edit: Instead of simply increasing the default maximum values, we should make them configurable by env vars.

[holtgrewe]

Is this login timeout with irods icommands? IIRC, this is goverend by PAM.

[mikkonie]

There are infact two settings for maximum login length. There is a separate one for PAM, yes. For some reason, one of these was set very short in my iRODS 4.3 unattended config template.

[mikkonie]

These settings have changed in 4.3.1+, see here.

Max password time has to now be set with iadmin set_grid_configuration authentication password_max_time xxx

..however, the setting is set to the correct default value on the server. This can be verified with iadmin get_grid_configuration authentication password_max_time.

Supplying --ttl in iinit provides the expected TTL, but without that option supplied the password expires in 2 minutes. This makes iCommands unusable without supplying a custom TTL. So something has definitely changed somewhere. Changing default_temporary_password_lifetime_in_seconds in the server config doesn't help.

[mikkonie]

iRODS support to the rescue: this is an undocumented feature in v4.3.1+, where one is supposed to use password_min_time in addition to password_max_time. They have now added a ticket for documenting this :)

It has to be set with iadmin set_grid_configuration authentication password_min_time 1209600. I'll double-check to make sure there isn't a way to do it in unattended_config.json. (Update: I asked iRODS support and it can't, at least for now)

[mikkonie]

Done.