[Freeipa-users] Force IPA to accept password?

KodaK sakodak at gmail.com
Thu Sep 26 15:38:11 UTC 2013 

Here's what I had to do:

http://www.freeipa.org/page/PasswordSynchronization


On Thu, Sep 26, 2013 at 10:35 AM, KodaK <sakodak at gmail.com> wrote:

> As far as I can tell, password policy is enforced on the client side, not
> the directory side.
>
> I set up a self-service password reset utility which enforces its own
> rules and bypasses the IPA password policies.
>
> I used this one:
>
> http://ltb-project.org <http://ltb-project.org/wiki/>
>
> I created a user that had the ability to create passwords, but IIRC there
> was some setting I had to change so that the passwords created didn't
> require a change.
>
> I'm pretty sure someone in this list told me how, so I'll search and see
> if I can find it.
>
> --Jason
>
>
>
> On Thu, Sep 26, 2013 at 8:58 AM, Innes, Duncan <
> Duncan.Innes at virginmoney.com> wrote:
>
>> Sorry,
>>
>> > -----Original Message-----
>> > From: Martin Kosek [mailto:mkosek at redhat.com]
>> > Sent: 26 September 2013 14:29
>> > To: Innes, Duncan
>> > Cc: freeipa-users at redhat.com
>> > Subject: Re: [Freeipa-users] Force IPA to accept password?
>> >
>> > On 09/26/2013 01:05 PM, Innes, Duncan wrote:
>> > > Hi,
>> > >
>> > > Can I force IPA to accept a new password that I have chosen?
>> >
>> > What password do you have in mind? A password of an IPA user?
>> >
>>
>> Yes - for my authentication when SSHing onto a Linux box.
>>
>> > >
>> > > Today I've had to change my password in 2x AD domains and
>> > > other places according to policy.  I've done this.
>> > >
>> > > But coming to IPA, I find that I've chosen a "BAD
>> > > PASSWORD".  Without getting into the merits of the AD password
>> > > policy and the security of the password I've chosen, can I
>> > > force IPA to accept my new password at all?
>> >
>> > Well, without getting into security of the approach, you
>> > could change the global password policy or group password
>> > policy so that the new password is
>> > accepted:
>> >
>> > $ ipa pwpolicy-mod --minlength=5
>> >
>> > or
>> >
>> > $ ipa pwpolicy-add usergroup --minlength=5
>> >
>> > ... to "fix" whatever failing password policy attribute.
>> >
>>
>> The error comes from a dictionary check I think.  AD does as well as far
>> as I know, but would appear to have a smaller dictionary or looser
>> rules.
>>
>> Kind of what I expected/feared though.  I don't want to change the IPA
>> policy at all, just override it's objection.  For now, I went the long
>> route and changed my IPA password first, then changed the other
>> passwords
>> To match what IPA was happy with.
>>
>> > HTH,
>> > Martin
>> >
>>
>> Cheers & thanks for your help
>>
>> Duncan
>>
>> This message has been checked for viruses and spam by the Virgin Money
>> email scanning system powered by Messagelabs.
>>
>>
>>
>> This e-mail is intended to be confidential to the recipient. If you
>> receive a copy in error, please inform the sender and then delete this
>> message.
>>
>> Virgin Money plc - Registered in England and Wales (Company no. 6952311).
>> Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL.
>> Virgin Money plc is authorised by the Prudential Regulation Authority and
>> regulated by the Financial Conduct Authority and the Prudential Regulation
>> Authority.
>>
>> The following companies also trade as Virgin Money. They are both
>> authorised and regulated by the Financial Conduct Authority, are registered
>> in England and Wales and have their registered office at Discovery House,
>> Whiting Road, Norwich NR4 6EJ: Virgin Money Personal Financial Service
>> Limited (Company no. 3072766) and Virgin Money Unit Trust Managers Limited
>> (Company no. 3000482).
>>
>> For further details of Virgin Money group companies please visit our
>> website at virginmoney.com
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>
>
>
> --
> The government is going to read our mail anyway, might as well make it
> tough for them.  GPG Public key ID:  B6A1A7C6
>



-- 
The government is going to read our mail anyway, might as well make it
tough for them.  GPG Public key ID:  B6A1A7C6
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130926/1a1b2a06/attachment.htm>

More information about the Freeipa-users mailing list