[Freeipa-users] Password expiration dates are different when being resetted by the (primary) admin and a different admin
Martin Kosek
mkosek at redhat.com
Thu Aug 28 14:44:07 UTC 2014
On 08/28/2014 04:18 PM, Zip Ly wrote:
> Hi,
>
>
> I'm trying to change a user password without reset.
> If I use the (primary) admin to change the password then it doesn't need a
> password reset, because the expire lifetime is 90 days.
This is strange. Did you by any chance added this admin's account DN to
passSyncManagersDNs setting in ipa_pwd_extop plugin?
http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/pass-sync.html#password-sync
> But if I create a second admin, then every password change made by the
> second admin needs a password reset, because the password is expired
> immediately.
Right, this is done on purpose:
http://www.freeipa.org/page/New_Passwords_Expired
> 1a) Does anyone knows how I can change the policy/privilege of the second
> admin so every password change doesn't require a reset?
See docs link above. But note it is a hack and we discourage it for reasons
written in the wiki link above.
> 1b) and is it
> possible to set a different expire lifetime like zero for unlimited
> lifetime?
No (for security reasons).
>
> It's almost the same bugreport as
> https://fedorahosted.org/freeipa/ticket/2795 but the difference is there
> should be 2 policies: one for changing your own password and another for
> resetting other users password.
Administrative password change is only subject to max password life time part
of the password policy AFAIR. Thus it already uses 2 different standards for
these password changes (e.g. password length is not enforced for administrative
password change).
> 2) Are there more differences in policies between the first (primary) admin
> and the second admin you just created?
There should not be. All members of admins groups should be equal in rights.
Martin
More information about the Freeipa-users
mailing list