[Freeipa-users] Force IPA to accept password?

Innes, Duncan Duncan.Innes at virginmoney.com
Fri Sep 27 09:03:15 UTC 2013 

> From: Martin Kosek [mailto:mkosek at redhat.com] 
> Sent: 27 September 2013 09:28
> To: Innes, Duncan
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Force IPA to accept password?
> 
> On 09/27/2013 09:31 AM, Innes, Duncan wrote:
> >
> >
> >> From: freeipa-users-bounces at redhat.com 
> >> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Sumit Bose
> >> Sent: 26 September 2013 17:36
> >> To: freeipa-users at redhat.com
> >> Subject: Re: [Freeipa-users] Force IPA to accept password?
> ...
> >> Which command did you use to change the password? 'passwd' or 'ipa 
> >> passwd'?
> >>
> >> If you use 'passwd' the PAM stack on the client for the passwd 
> >> command comes into play which typically has some modules like 
> >> pam_pwquality.so listed which do checks including dictionary
checks.
> >>
> >> If you use 'ipa passwd' the password should be only validated
> >> against the server-side password policy Martin mentioned above.
> >
> > Sumit, yes - I used 'passwd'.  I'll look into using 'ipa passwd' in 
> > about
> > 3 months time :-)
> 
> Eh, ok :-) BTW, you could also standard kpasswd, it should 
> also avoid modules like pam_pwquality.so and only use the 
> server policy.
> 
> Martin
> 

OK - this is opening my eyes somewhat.  I know about the password policy
section of IPA, but there doesn't appear to be anywhere to control the
quality of the password.  Is this done by PAM on the server?  If it's
not,
how do I enforce things like ensuring at least 1 upper case, 1 lower
case,
1 number and 1 special character?  I don't see that in the docs.

Would like to be able to ensure that the minimum password policy is
centralised
rather than perhaps having an erroneous strict policy on a few machines.

Thanks

Duncan

This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs.



This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message.

Virgin Money plc - Registered in England and Wales (Company no. 6952311). Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL. Virgin Money plc is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority.

The following companies also trade as Virgin Money. They are both authorised and regulated by the Financial Conduct Authority, are registered in England and Wales and have their registered office at Discovery House, Whiting Road, Norwich NR4 6EJ: Virgin Money Personal Financial Service Limited (Company no. 3072766) and Virgin Money Unit Trust Managers Limited (Company no. 3000482).

For further details of Virgin Money group companies please visit our website at virginmoney.com

More information about the Freeipa-users mailing list