On 09/27/2013 11:14 AM, Sumit Bose wrote:
On Fri, Sep 27, 2013 at 10:27:30AM +0200, Martin Kosek wrote:
On 09/27/2013 09:31 AM, Innes, Duncan wrote:

-----Original Message-----
From: freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Sumit Bose
Sent: 26 September 2013 17:36
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Force IPA to accept password?
Which command did you use to change the password? 'passwd' or
'ipa passwd'?

If you use 'passwd' the PAM stack on the client for the
passwd command comes into play which typically has some
modules like pam_pwquality.so listed which do checks
including dictionary checks.

If you use 'ipa passwd' the password should be only validated
against the server-side password policy Martin mentioned above.

Sumit, yes - I used 'passwd'.  I'll look into using 'ipa passwd' in
3 months time :-)

Eh, ok :-) BTW, you could also standard kpasswd, it should also
avoid modules like pam_pwquality.so and only use the server policy.

Martin, pam_pwquality has an option called 'local_users_only'. According
to bz849072 it should be set by default since F18 but it looks like it
is not set in F19. Should we open a ticket to investigate it?


Hmm, you are right. I found the original bug:

... and filed a new bug for Fedora 19 so that this can be fixed:


Freeipa-users mailing list

Reply via email to