[Freeipa-users] Force IPA to accept password?
Martin Kosek
mkosek at redhat.com
Fri Sep 27 09:28:12 UTC 2013
On 09/27/2013 11:14 AM, Sumit Bose wrote:
> On Fri, Sep 27, 2013 at 10:27:30AM +0200, Martin Kosek wrote:
>> On 09/27/2013 09:31 AM, Innes, Duncan wrote:
>>>
>>>
>>>> -----Original Message-----
>>>> From: freeipa-users-bounces at redhat.com
>>>> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Sumit Bose
>>>> Sent: 26 September 2013 17:36
>>>> To: freeipa-users at redhat.com
>>>> Subject: Re: [Freeipa-users] Force IPA to accept password?
>> ...
>>>> Which command did you use to change the password? 'passwd' or
>>>> 'ipa passwd'?
>>>>
>>>> If you use 'passwd' the PAM stack on the client for the
>>>> passwd command comes into play which typically has some
>>>> modules like pam_pwquality.so listed which do checks
>>>> including dictionary checks.
>>>>
>>>> If you use 'ipa passwd' the password should be only validated
>>>> against the server-side password policy Martin mentioned above.
>>>
>>> Sumit, yes - I used 'passwd'. I'll look into using 'ipa passwd' in
>>> about
>>> 3 months time :-)
>>
>> Eh, ok :-) BTW, you could also standard kpasswd, it should also
>> avoid modules like pam_pwquality.so and only use the server policy.
>
> Martin, pam_pwquality has an option called 'local_users_only'. According
> to bz849072 it should be set by default since F18 but it looks like it
> is not set in F19. Should we open a ticket to investigate it?
>
> bye,
> Sumit
Hmm, you are right. I found the original bug:
https://bugzilla.redhat.com/show_bug.cgi?id=849072
... and filed a new bug for Fedora 19 so that this can be fixed:
https://bugzilla.redhat.com/show_bug.cgi?id=1012854
Martin
More information about the Freeipa-users
mailing list