[Freeipa-users] Password expiration dates are different when being resetted by the (primary) admin and a different admin

Mon Sep 1 11:06:27 UTC 2014

On 08/29/2014 10:21 AM, Zip Ly wrote:
> @Martin
> 1) Yes, I did executed 8.5.3 from the wiki. Is this is reason for the
> systems behaviour?

Yes.

> if so why doesnt't it applies for both admins?

Because only a DN of the first admin was added. It applies only to objects
bound with this DN then.

> And it
> doesn't explain the 90 days, because it is not set in the tutorial.

90 days is the password policy defined password maximum life. You can check
with "ipa pwpolicy-show [group]". This value is not defined in
"cn=ipa_pwd_extop,cn=plugins,cn=config", thus not present in the docs.

> Unless
> some params are left out of the wiki for some reason. I'm using windows
> LDAP admin tool to browse the LDAP tree, but couln't find this param/value
> so I wasn't sure if the new setting is being used. I did get a confirmation
> while executing the change.

To set the the max password life, use "ipa pwpolicy-mod --maxlife $LIFE"
command (or Web UI).

> 
> @Dimitri
> 1) Yes, there are no problems with changing your own password. There is
> only something strange with the expiration lifetime when you are changing
> other users (admin or non-admin) password. The expiration lifetime of a
> password reset should be equal to BOTH admins like expired immediately, 90
> days or the value that is set in the password policy. I prefer the value in
> a password policy, because this way I have it more under control.
> 
> @Martin & @Will
> 1b) Ok, I'm afraid you may say that. Most free clients like gmail, hotmail,
> ebay, paypal doesn't require a password reset from time to time (yes they
> may have set a very high value). So I was wondering why it isn't possible.
> I know it's bad for security, but still.

I think the solution is to:

1) Change the password policy to a very high value (even in years), as Will
suggested in this thread.

2) Use service accounts (service-add) with keytabs for services which do not
need to change their passwords, given they authenticate with keytab which does
not suffer from password complexity issues.

3) Contribute to FreeIPA and make --maxlife 0 or similar mean unlimited
validity (https://fedorahosted.org/freeipa/ticket/2795) :-)

> On Thu, Aug 28, 2014 at 6:18 PM, Dmitri Pal <dpal at redhat.com> wrote:
> 
>>  On 08/28/2014 04:18 PM, Zip Ly wrote:
>>
>>  Hi,
>>
>>
>> I'm trying to change a user password without reset.
>> If I use the (primary) admin to change the password then it doesn't need a
>> password reset, because the expire lifetime is 90 days.
>>
>> But if I create a second admin, then every password change made by the
>> second admin needs a password reset, because the password is expired
>> immediately.
>>
>>  1a) Does anyone knows how I can change the policy/privilege of the
>> second admin so every password change doesn't require a reset? 1b) and is
>> it possible to set a different expire lifetime like zero for unlimited
>> lifetime?
>>
>>
>> You are probably changing password for the admin himself.
>> Isn't there a different flow when admin changes his own password?
>>
>>
>>
>>  It's almost the same bugreport as
>> https://fedorahosted.org/freeipa/ticket/2795 but the difference is there
>> should be 2 policies: one for changing your own password and another for
>> resetting other users password.
>>
>>
>> 2) Are there more differences in policies between the first (primary)
>> admin and the second admin you just created?
>>
>>
>> Kind regards,
>>
>> Zip
>>
>>
>>
>>
>>
>>
>>
>> --
>> Thank you,
>> Dmitri Pal
>>
>> Sr. Engineering Manager IdM portfolio
>> Red Hat, Inc.
>>
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go To http://freeipa.org for more info on the project
>>
> 
> 
> 