[Freeipa-users] change min and max lifetime of random password

Dmitri Pal dpal at redhat.com
Mon Mar 24 17:28:36 UTC 2014 

On 03/24/2014 01:15 PM, Stijn De Weirdt wrote:
> hi all,
>
> i'm trying to limit the minimum and maximum lifetime of passwords (in 
> particular the random password when a host is added; but i guess this 
> more general).
>
> (i'm using ipa 3.0 from el6 and also looking at 3.3 from rhel7 beta, 
> but the relevant code seems the same or at least very similar)
>
> i'm currently adding the host first via the api and then setting the 
> random password with host_mod like
>
> api.Command.host_add(u''+host)
> api.Command.host_mod(u''+host,random=True)
>
> (for some reason, this is what is needed on 3.0; anyway, that's not my 
> issue)
>
> is there a way that i can change it easily somehow afterwards 
> (preferred way) or can i create and use a custom pwpolicy class that 
> sets my preferred defaults (min 1 minute, max 20 minutes); or do i 
> monkeypatch the whole class (assuming that pwpolicy_add is called on 
> the user side, not on the server side).
>
> all tips are welcome.


The whole idea of the host passwords is to be added as a part of the 
provisioning workflow so it should be seconds anyways.
We created a "smart proxy" for Foreman (provisioning system) to drive 
host creation. It just landed upstream (first version) last week.
Any chance you can use or reuse some of the code from it in your 
provisioning workflows?

Also can you explain why the expiration time is needed? I can understand 
it being needed if the password is created ahead of time and then not 
used for a period of time but here it is really one flow. You can't 
predict how much it would be 2 sec or 10 seconds but is it really 
important to put a cap on it?

If this is desired the right feature would be to add couple attributes 
to the host entry: creation time and validity interval and set them when 
the password is created. But it is more than a quick fix. You a welcome 
to file and RFE and putt all the details in the ticket.




>
> many thanks,
>
> stijn
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-users mailing list