[Freeipa-devel] Expired passwords cannot be changed via LDAP
Martin Kosek
mkosek at redhat.com
Mon Jun 9 13:40:07 UTC 2014
On 06/09/2014 03:08 PM, Dmitri Pal wrote:
> On 06/09/2014 09:01 AM, Simo Sorce wrote:
>>>>>> From: "Martin Kosek" <mkosek at redhat.com>
>>>>>> Given all sort of issues we get, I am thinking we should just revert it
>>>>>> unless
>>>>>> there is a quick fix available.
>> Instead of reverting I am thinking we may want to make this optional by
>> adding a configuration parameter that defaults to False for now. Once we can
>> manage better the password change we can turn it on by deault, in the
>> meanwhile admins can choose by themselves the lesser evil.
>>
>> Thoughts?
>>
>> Simo.
>>
>> _______________________________________________
>> Freeipa-devel mailing list
>> Freeipa-devel at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>
> I am also concerned about the OTP flows with this change.
> IMO we might not be ready for this change one way or another.
> Backing out or adding a default switch turning the feature off works for me.
I do not like the proposal very much. It sounds like "oops, this breaks
FreeIPA, let's hide it with configuration option and fix later".
This would not be a simple fix, we know that Web UI and possibly other
workflows are broken unless we introduce password changes via anonymous binds
(and thus utilize oldPassword piece). We would also need to make sure the
setting is not read with every LDAP bind, otherwise it would also have some
performance impact, our BINDs are already slow (see
https://fedorahosted.org/freeipa/ticket/3892).
If this can be indeed fixed, let us do it before 4.0 Beta (we are talking about
2 weeks of time in ideal scenario) or revert until we are ready.
Martin
More information about the Freeipa-devel
mailing list