[Freeipa-users] change min and max lifetime of random password

[Rob Crittenden]

Stijn De Weirdt wrote:
> hi all,
>
> i'm trying to limit the minimum and maximum lifetime of passwords (in
> particular the random password when a host is added; but i guess this
> more general).
>
> (i'm using ipa 3.0 from el6 and also looking at 3.3 from rhel7 beta, but
> the relevant code seems the same or at least very similar)
>
> i'm currently adding the host first via the api and then setting the
> random password with host_mod like
>
> api.Command.host_add(u''+host)
> api.Command.host_mod(u''+host,random=True)
>
> (for some reason, this is what is needed on 3.0; anyway, that's not my
> issue)
>
> is there a way that i can change it easily somehow afterwards (preferred
> way) or can i create and use a custom pwpolicy class that sets my
> preferred defaults (min 1 minute, max 20 minutes); or do i monkeypatch
> the whole class (assuming that pwpolicy_add is called on the user side,
> not on the server side).
>
> all tips are welcome.

You can only specify password policy for User Groups, not host groups, 
so there is no way to do this currently. It also isn't that 
fine-grained. The minimum lifetime is 1 hour, the minimum of the maximum 
lifetime is 1 day.

I don't see why support for Host Groups (and therefore Hosts) can't be 
added. I'm not 100% sure about the tuning for min/max lifetime but it 
should be possible. AFAIR we convert the values from seconds to hours 
and days.

Can you file a ticket at https://fedorahosted.org/freeipa/newticket ?

rob