[Freeipa-users] Unexpiring user passwords

[Rob Crittenden]

Joshua J. Kugler wrote:
> I have read this page http://www.freeipa.org/page/New_Passwords_Expired
>
> Aside from the fact that the decision should have been left to the company and
> their policies, and violates the tenant that software should have sane
> defaults while leaving flexibility to the user, I'm wondering if you can help
> me.
>
> We have a situation where the passwords in FreeIPA need to be synchronized
> with another system in the company (a database of users, which is the
> authoritative source for users and passwords).  But, from what I read, the
> documentation is telling me we can't do that, because if we followed this work
> flow:
>
> 1. Users goes to "master DB" and changes their password
> 2. master DB runs a script which sets password on FreeIPA system
> 3. User's login is now broken because the password is expired.
>
> It is really unfortunate that this design decision was made, because
> 1. It prevents FreeIPA from being integrated with existing systems (telling
> people, effectively, you have to use FreeIPA for EVERYTHING or you can't use us
> at all)
> 2. It doesn't really improve security as claimed, because if the user's new
> password is intercepted, the interceptor can use that password to login and
> change the expired password, still giving access.
>
> Is there a way around this? Is there a password synchronization protocol that
> can be used to link up systems that need to have common logins?

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Windows_Integration_Guide/index.html#password-sync

rob