<div dir="ltr">Here's what I had to do:<div><br></div><div><a href="http://www.freeipa.org/page/PasswordSynchronization">http://www.freeipa.org/page/PasswordSynchronization</a><br></div></div><div class="gmail_extra"><br> <br><div class="gmail_quote">On Thu, Sep 26, 2013 at 10:35 AM, KodaK <span dir="ltr"><<a href="mailto:sakodak@gmail.com" target="_blank">sakodak@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <div dir="ltr"><div>As far as I can tell, password policy is enforced on the client side, not the directory side.<br></div><div><br></div><div>I set up a self-service password reset utility which enforces its own rules and bypasses the IPA password policies.</div> <div><br></div><div>I used this one:</div><div><br></div><div><a href="http://ltb-project.org/wiki/" target="_blank">http://ltb-project.org</a><br></div><div><br></div><div>I created a user that had the ability to create passwords, but IIRC there was some setting I had to change so that the passwords created didn't require a change.</div> <div><br></div><div>I'm pretty sure someone in this list told me how, so I'll search and see if I can find it.</div><div><br></div><div>--Jason</div><div><br></div></div><div class="gmail_extra"><div><div class="h5"> <br><br><div class="gmail_quote"> On Thu, Sep 26, 2013 at 8:58 AM, Innes, Duncan <span dir="ltr"><<a href="mailto:Duncan.Innes@virginmoney.com" target="_blank">Duncan.Innes@virginmoney.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> Sorry,<br> <div><br> > -----Original Message-----<br> > From: Martin Kosek [mailto:<a href="mailto:mkosek@redhat.com" target="_blank">mkosek@redhat.com</a>]<br> > Sent: 26 September 2013 14:29<br> > To: Innes, Duncan<br> > Cc: <a href="mailto:freeipa-users@redhat.com" target="_blank">freeipa-users@redhat.com</a><br> > Subject: Re: [Freeipa-users] Force IPA to accept password?<br> ><br> > On 09/26/2013 01:05 PM, Innes, Duncan wrote:<br> > > Hi,<br> > ><br> > > Can I force IPA to accept a new password that I have chosen?<br> ><br> > What password do you have in mind? A password of an IPA user?<br> ><br> <br> </div>Yes - for my authentication when SSHing onto a Linux box.<br> <div><br> > ><br> > > Today I've had to change my password in 2x AD domains and<br> > > other places according to policy. I've done this.<br> > ><br> > > But coming to IPA, I find that I've chosen a "BAD<br> > > PASSWORD". Without getting into the merits of the AD password<br> > > policy and the security of the password I've chosen, can I<br> > > force IPA to accept my new password at all?<br> ><br> > Well, without getting into security of the approach, you<br> > could change the global password policy or group password<br> > policy so that the new password is<br> > accepted:<br> ><br> > $ ipa pwpolicy-mod --minlength=5<br> ><br> > or<br> ><br> > $ ipa pwpolicy-add usergroup --minlength=5<br> ><br> > ... to "fix" whatever failing password policy attribute.<br> ><br> <br> </div>The error comes from a dictionary check I think. AD does as well as far<br> as I know, but would appear to have a smaller dictionary or looser<br> rules.<br> <br> Kind of what I expected/feared though. I don't want to change the IPA<br> policy at all, just override it's objection. For now, I went the long<br> route and changed my IPA password first, then changed the other<br> passwords<br> To match what IPA was happy with.<br> <br> > HTH,<br> > Martin<br> ><br> <br> Cheers & thanks for your help<br> <div><br> Duncan<br> <br> This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs.<br> <br> <br> <br> This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message.<br> <br> Virgin Money plc - Registered in England and Wales (Company no. 6952311). Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL. Virgin Money plc is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority.<br> <br> The following companies also trade as Virgin Money. They are both authorised and regulated by the Financial Conduct Authority, are registered in England and Wales and have their registered office at Discovery House, Whiting Road, Norwich NR4 6EJ: Virgin Money Personal Financial Service Limited (Company no. 3072766) and Virgin Money Unit Trust Managers Limited (Company no. 3000482).<br> <br> For further details of Virgin Money group companies please visit our website at <a href="http://virginmoney.com" target="_blank">virginmoney.com</a><br> <br> </div><div><div>_______________________________________________<br> Freeipa-users mailing list<br> <a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a><br> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br> </div></div></blockquote></div><br><br clear="all"><div><br></div></div></div><span class="HOEnZb"><font color="#888888">-- <br>The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 </font></span></div> </blockquote></div><br><br clear="all"><div><br></div>-- <br>The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 </div>