On ti, 13 heinä 2021, Angelo Alvarez via FreeIPA-users wrote:
Aloha. If I configure users to authenticate using smart card, is it possible to disable the user's password, so it can no longer be used for authentication and does not require updating every 60 days, etc.?
Assuming that the password was set, in the first place? If you are creating new users you can simply not set the password at all. If you want users to be exempt from a password rotation, a password policy has to be created and associated with a group that these users are members of. This is what FreeIPA does behind the scenes with service and host principals, see /usr/share/ipa/updates/20-default_password_policy.update For users with a password already set, one can randomize it and throw away with ipa-getkeytab as an administrator or a cn=Directory Manager. The latter can be achieved by running ipa-getkeytab as a root against LDAPI URI (the one from /etc/ipa/default.conf on IPA server) on IPA server itself: # ipa-getkeytab -H `grep ldap_uri /etc/ipa/default.conf | cut -d= -f2` -Y EXTERNAL -p foobar -k ./remove.keytab # rm ./remove.keytab -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
