[Freeipa-devel] User life cycle: authentication and preserved attributes
thierry bordaz
tbordaz at redhat.com
Thu Jun 19 15:32:58 UTC 2014
On 06/19/2014 03:41 PM, Simo Sorce wrote:
> On Thu, 2014-06-19 at 15:32 +0200, thierry bordaz wrote:
>> (those values must be active DN entries)
>> userPassword/krb keys: copied from source entry if
>> they
>> exists
> Uhmm this may actually fail, as we prevent storing pre-hashed
> passwords :/
> We'll have to somehow detect that krbprincipalkeys are also being added
> at the same time and allow pre-hashed password in that case, I guess.
Oppss that is right, (ipapwd_pre_add I think) in that case there is no
entry extension to retrieve the unhash password.
>
>
> Also I realized one thing for deleted users, should we preserve password
> History (should we put the last used password there) ?
do you mean attribute krbPwdHistory or passwordHistory?
keeping passwordHistory would improve security. This prevents reuse the
same set of passwords just by doing user-delete/user-undelete.
good to add the current password to this history.
thierry
>
> Simo.
>
More information about the Freeipa-devel
mailing list