[Freeipa-users] Unexpiring user passwords

[Joshua J. Kugler]

I have read this page http://www.freeipa.org/page/New_Passwords_Expired
 
Aside from the fact that the decision should have been left to the company and 
their policies, and violates the tenant that software should have sane 
defaults while leaving flexibility to the user, I'm wondering if you can help 
me.

We have a situation where the passwords in FreeIPA need to be synchronized 
with another system in the company (a database of users, which is the 
authoritative source for users and passwords).  But, from what I read, the 
documentation is telling me we can't do that, because if we followed this work 
flow:

1. Users goes to "master DB" and changes their password
2. master DB runs a script which sets password on FreeIPA system
3. User's login is now broken because the password is expired.

It is really unfortunate that this design decision was made, because
1. It prevents FreeIPA from being integrated with existing systems (telling 
people, effectively, you have to use FreeIPA for EVERYTHING or you can't use us 
at all)
2. It doesn't really improve security as claimed, because if the user's new 
password is intercepted, the interceptor can use that password to login and 
change the expired password, still giving access.

Is there a way around this? Is there a password synchronization protocol that 
can be used to link up systems that need to have common logins?

Thanks for any help you can offer!

j

-- 
Joshua J. Kugler -- Fairbanks, AK
Blogs: http://jjncj.com/blog/ (Family) -- http://joshuakugler.com (Geek)
Every knee shall bow, and every tongue confess, in heaven, on earth, and under 
the earth, that Jesus Christ is LORD