[Freeipa-devel] User life cycle: authentication and preserved attributes
Simo Sorce
ssorce at redhat.com
Thu Jun 19 16:40:11 UTC 2014
On Thu, 2014-06-19 at 17:32 +0200, thierry bordaz wrote:
> On 06/19/2014 03:41 PM, Simo Sorce wrote:
> > On Thu, 2014-06-19 at 15:32 +0200, thierry bordaz wrote:
> >> (those values must be active DN entries)
> >> userPassword/krb keys: copied from source entry if
> >> they
> >> exists
> > Uhmm this may actually fail, as we prevent storing pre-hashed
> > passwords :/
> > We'll have to somehow detect that krbprincipalkeys are also being added
> > at the same time and allow pre-hashed password in that case, I guess.
> Oppss that is right, (ipapwd_pre_add I think) in that case there is no
> entry extension to retrieve the unhash password.
Yeah we would need to change the logic there, to allow this specific
case.
> > Also I realized one thing for deleted users, should we preserve password
> > History (should we put the last used password there) ?
> do you mean attribute krbPwdHistory or passwordHistory?
We do not use krbPwdHistory
> keeping passwordHistory would improve security. This prevents reuse the
> same set of passwords just by doing user-delete/user-undelete.
> good to add the current password to this history.
Right, but should we add there the current password being deleted ?
I think we should, unless we want to allow a user to pick up the same
password he had before deletion, which could be clearly expired by the
time a user is reactivated.
Simo.
More information about the Freeipa-devel
mailing list