[Freeipa-users] Unexpiring user passwords
Joshua J. Kugler
joshua at azariah.com
Sun May 1 02:53:40 UTC 2016
I have read this page http://www.freeipa.org/page/New_Passwords_Expired
Aside from the fact that the decision should have been left to the company and
their policies, and violates the tenant that software should have sane
defaults while leaving flexibility to the user, I'm wondering if you can help
me.
We have a situation where the passwords in FreeIPA need to be synchronized
with another system in the company (a database of users, which is the
authoritative source for users and passwords). But, from what I read, the
documentation is telling me we can't do that, because if we followed this work
flow:
1. Users goes to "master DB" and changes their password
2. master DB runs a script which sets password on FreeIPA system
3. User's login is now broken because the password is expired.
It is really unfortunate that this design decision was made, because
1. It prevents FreeIPA from being integrated with existing systems (telling
people, effectively, you have to use FreeIPA for EVERYTHING or you can't use us
at all)
2. It doesn't really improve security as claimed, because if the user's new
password is intercepted, the interceptor can use that password to login and
change the expired password, still giving access.
Is there a way around this? Is there a password synchronization protocol that
can be used to link up systems that need to have common logins?
Thanks for any help you can offer!
j
--
Joshua J. Kugler -- Fairbanks, AK
Blogs: http://jjncj.com/blog/ (Family) -- http://joshuakugler.com (Geek)
Every knee shall bow, and every tongue confess, in heaven, on earth, and under
the earth, that Jesus Christ is LORD
More information about the Freeipa-users
mailing list