As far as I can tell, password policy is enforced on the client side, not
the directory side.
I set up a self-service password reset utility which enforces its own rules
and bypasses the IPA password policies.
I used this one:
I created a user that had the ability to create passwords, but IIRC there
was some setting I had to change so that the passwords created didn't
require a change.
I'm pretty sure someone in this list told me how, so I'll search and see if
I can find it.
On Thu, Sep 26, 2013 at 8:58 AM, Innes, Duncan <duncan.in...@virginmoney.com
> > -----Original Message-----
> > From: Martin Kosek [mailto:mko...@redhat.com]
> > Sent: 26 September 2013 14:29
> > To: Innes, Duncan
> > Cc: email@example.com
> > Subject: Re: [Freeipa-users] Force IPA to accept password?
> > On 09/26/2013 01:05 PM, Innes, Duncan wrote:
> > > Hi,
> > >
> > > Can I force IPA to accept a new password that I have chosen?
> > What password do you have in mind? A password of an IPA user?
> Yes - for my authentication when SSHing onto a Linux box.
> > >
> > > Today I've had to change my password in 2x AD domains and
> > > other places according to policy. I've done this.
> > >
> > > But coming to IPA, I find that I've chosen a "BAD
> > > PASSWORD". Without getting into the merits of the AD password
> > > policy and the security of the password I've chosen, can I
> > > force IPA to accept my new password at all?
> > Well, without getting into security of the approach, you
> > could change the global password policy or group password
> > policy so that the new password is
> > accepted:
> > $ ipa pwpolicy-mod --minlength=5
> > or
> > $ ipa pwpolicy-add usergroup --minlength=5
> > ... to "fix" whatever failing password policy attribute.
> The error comes from a dictionary check I think. AD does as well as far
> as I know, but would appear to have a smaller dictionary or looser
> Kind of what I expected/feared though. I don't want to change the IPA
> policy at all, just override it's objection. For now, I went the long
> route and changed my IPA password first, then changed the other
> To match what IPA was happy with.
> > HTH,
> > Martin
> Cheers & thanks for your help
> This message has been checked for viruses and spam by the Virgin Money
> email scanning system powered by Messagelabs.
> This e-mail is intended to be confidential to the recipient. If you
> receive a copy in error, please inform the sender and then delete this
> Virgin Money plc - Registered in England and Wales (Company no. 6952311).
> Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL.
> Virgin Money plc is authorised by the Prudential Regulation Authority and
> regulated by the Financial Conduct Authority and the Prudential Regulation
> The following companies also trade as Virgin Money. They are both
> authorised and regulated by the Financial Conduct Authority, are registered
> in England and Wales and have their registered office at Discovery House,
> Whiting Road, Norwich NR4 6EJ: Virgin Money Personal Financial Service
> Limited (Company no. 3072766) and Virgin Money Unit Trust Managers Limited
> (Company no. 3000482).
> For further details of Virgin Money group companies please visit our
> website at virginmoney.com
> Freeipa-users mailing list
The government is going to read our mail anyway, might as well make it
tough for them. GPG Public key ID: B6A1A7C6
Freeipa-users mailing list