URL: https://github.com/freeipa/freeipa/pull/403
Title: #403: Add new ipa passwd-generate command

abbra commented:
@redhatrises, could you please explain more why you need this command as it is?

FreeIPA allows to have multiple password policies. If you want to generate 
passwords that conform to a particular policy, it would be more reasonable to 
retrieve the password policy and use it to supply as arguments of the password 

The generated password does not need to be transferred over the network. As you 
are adding a command to IPA, it could be a client-side plugin because Python 
client side code always has access to ipapython.util module. 

There could be multiple password generators. For example, on Linux systems you 
can simply use `pwqgen` utility from passwdqc package to generate passwords 
compatible with FreeIPA password policies. Granted, a configuration file needs 
to be created that translates a FreeIPA password policy but this is at least 
something that a command in IPA could do on the client side after fetching a 

If the password generation is based on a particular policy and is moved to the 
client side, why not creating a plugin to ipa-advise instead? It would actually 
generate a script that calls pwqgen or other generator tool. This would be more 
useful to other environments as the script would also contain a reference to 
the password policy parameters and can be run independent of the FreeIPA 

Let me know what do you think about it.

See the full comment at 
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to