[Freeipa-users] Unexpired pw?
Alexander Bokovoy
abokovoy at redhat.com
Fri Mar 27 13:14:40 UTC 2015
On Fri, 27 Mar 2015, Janelle wrote:
>
>Hi all,
>
>Found an odd issue and a question. If you change user pw with "ipa
>user-mod -password" and the client is configured for LDAP, then the
>user is not forced to change the pw on initial login.
We have three different cases depending on who changes userPassword
attribute in LDAP:
1. cn=Directory Manager can change anything and it doesn't taint the
userPassword.
2. A user can change own password and it doesn't taint the userPassword
attribute.
3. Any other identity that can change a password will taint userPassword
attribute.
If you change user password with "ipa user-mod --password" the question
should be "who are you?" and the answer to that question drives the
tainting logic described above.
>However, my other question is, can you set a user pw WITHOUT
>pre-expiring?!
cn=Directory manager is the one who can but directly in LDAP as you
cannot authenticate as 'cn=Directory manager' using IPA tools.
If you are insisting on lowering security of your passwords, nothing
prevents you from changing user password to some value as admin user
first and then setting it as that user to a correct value. We don't
recommend to do so but you have means already to ignore our
recommendations.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list