On Thu, 2014-06-19 at 17:32 +0200, thierry bordaz wrote: > On 06/19/2014 03:41 PM, Simo Sorce wrote: > > On Thu, 2014-06-19 at 15:32 +0200, thierry bordaz wrote: > >> (those values must be active DN entries) > >> userPassword/krb keys: copied from source entry if > >> they > >> exists > > Uhmm this may actually fail, as we prevent storing pre-hashed > > passwords :/ > > We'll have to somehow detect that krbprincipalkeys are also being added > > at the same time and allow pre-hashed password in that case, I guess.
> Oppss that is right, (ipapwd_pre_add I think) in that case there is no > entry extension to retrieve the unhash password. Yeah we would need to change the logic there, to allow this specific case. > > Also I realized one thing for deleted users, should we preserve password > > History (should we put the last used password there) ? > do you mean attribute krbPwdHistory or passwordHistory? We do not use krbPwdHistory > keeping passwordHistory would improve security. This prevents reuse the > same set of passwords just by doing user-delete/user-undelete. > good to add the current password to this history. Right, but should we add there the current password being deleted ? I think we should, unless we want to allow a user to pick up the same password he had before deletion, which could be clearly expired by the time a user is reactivated. Simo. _______________________________________________ Freeipa-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-devel
