On Thu, 2014-06-19 at 17:32 +0200, thierry bordaz wrote:
> On 06/19/2014 03:41 PM, Simo Sorce wrote:
> > On Thu, 2014-06-19 at 15:32 +0200, thierry bordaz wrote:
> >>                  (those values must be active DN entries)
> >>                  userPassword/krb keys: copied from source entry if
> >> they
> >>                  exists
> > Uhmm this may actually fail, as we prevent storing pre-hashed
> > passwords :/
> > We'll have to somehow detect that krbprincipalkeys are also being added
> > at the same time and allow pre-hashed password in that case, I guess.

> Oppss that is right, (ipapwd_pre_add I think) in that case there is no 
> entry extension to retrieve the unhash password.

Yeah we would need to change the logic there, to allow this specific
case.

> > Also I realized one thing for deleted users, should we preserve password
> > History (should we put the last used password there) ?
> do you mean attribute krbPwdHistory or passwordHistory?

We do not use krbPwdHistory

> keeping passwordHistory would improve security. This prevents reuse the 
> same set of passwords just by doing user-delete/user-undelete.
> good to add the current password to this history.

Right, but should we add there the current password being deleted ?
I think we should, unless we want to allow a user to pick up the same
password he had before deletion, which could be clearly expired by the
time a user is reactivated.

Simo.

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to