[Freeipa-users] Password expiration dates are different when being resetted by the (primary) admin and a different admin
Zip Ly
ziplyx at gmail.com
Fri Aug 29 08:21:10 UTC 2014
@Martin
1) Yes, I did executed 8.5.3 from the wiki. Is this is reason for the
systems behaviour? if so why doesnt't it applies for both admins? And it
doesn't explain the 90 days, because it is not set in the tutorial. Unless
some params are left out of the wiki for some reason. I'm using windows
LDAP admin tool to browse the LDAP tree, but couln't find this param/value
so I wasn't sure if the new setting is being used. I did get a confirmation
while executing the change.
@Dimitri
1) Yes, there are no problems with changing your own password. There is
only something strange with the expiration lifetime when you are changing
other users (admin or non-admin) password. The expiration lifetime of a
password reset should be equal to BOTH admins like expired immediately, 90
days or the value that is set in the password policy. I prefer the value in
a password policy, because this way I have it more under control.
@Martin & @Will
1b) Ok, I'm afraid you may say that. Most free clients like gmail, hotmail,
ebay, paypal doesn't require a password reset from time to time (yes they
may have set a very high value). So I was wondering why it isn't possible.
I know it's bad for security, but still.
On Thu, Aug 28, 2014 at 6:18 PM, Dmitri Pal <dpal at redhat.com> wrote:
> On 08/28/2014 04:18 PM, Zip Ly wrote:
>
> Hi,
>
>
> I'm trying to change a user password without reset.
> If I use the (primary) admin to change the password then it doesn't need a
> password reset, because the expire lifetime is 90 days.
>
> But if I create a second admin, then every password change made by the
> second admin needs a password reset, because the password is expired
> immediately.
>
> 1a) Does anyone knows how I can change the policy/privilege of the
> second admin so every password change doesn't require a reset? 1b) and is
> it possible to set a different expire lifetime like zero for unlimited
> lifetime?
>
>
> You are probably changing password for the admin himself.
> Isn't there a different flow when admin changes his own password?
>
>
>
> It's almost the same bugreport as
> https://fedorahosted.org/freeipa/ticket/2795 but the difference is there
> should be 2 policies: one for changing your own password and another for
> resetting other users password.
>
>
> 2) Are there more differences in policies between the first (primary)
> admin and the second admin you just created?
>
>
> Kind regards,
>
> Zip
>
>
>
>
>
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140829/613183bd/attachment.htm>
More information about the Freeipa-users
mailing list