On 09/27/2013 11:03 AM, Innes, Duncan wrote:
From: Martin Kosek [mailto:mko...@redhat.com]
Sent: 27 September 2013 09:28
To: Innes, Duncan
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Force IPA to accept password?

On 09/27/2013 09:31 AM, Innes, Duncan wrote:


From: freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Sumit Bose
Sent: 26 September 2013 17:36
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Force IPA to accept password?
...
Which command did you use to change the password? 'passwd' or 'ipa
passwd'?

If you use 'passwd' the PAM stack on the client for the passwd
command comes into play which typically has some modules like
pam_pwquality.so listed which do checks including dictionary
checks.

If you use 'ipa passwd' the password should be only validated
against the server-side password policy Martin mentioned above.

Sumit, yes - I used 'passwd'.  I'll look into using 'ipa passwd' in
about
3 months time :-)

Eh, ok :-) BTW, you could also standard kpasswd, it should
also avoid modules like pam_pwquality.so and only use the
server policy.

Martin


OK - this is opening my eyes somewhat.  I know about the password policy
section of IPA, but there doesn't appear to be anywhere to control the
quality of the password.  Is this done by PAM on the server?  If it's
not,
how do I enforce things like ensuring at least 1 upper case, 1 lower
case,
1 number and 1 special character?  I don't see that in the docs.

This should help:
http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/user-pwdpolicy.html

You can control character classes - if you set that for example to 3, password need to have at least:
- one number, one lower-case char, one upper-case char
OR
- one number, one special char, one lower case char.

You can also set minimal length. These 2 options should provide the settings you requested.

Note that the policy is not related to PAM, it is required by an LDAP server plugin on FreeIPA server - so that it affect all possible password changes - like "ldapasswd", "passwd", "kpasswd" and others.


Would like to be able to ensure that the minimum password policy is
centralised
rather than perhaps having an erroneous strict policy on a few machines.

+1. You can set that centrally on server, you can even set different policies for different groups. It can just happen that pam_pwquality.so may interfere (as we found out) and add it's own password quality requirements on top of FreeIPA centralized ones.

Martin

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to