On Thu, 20 Feb 2014, Jan Pazdziora wrote:
On Tue, Feb 18, 2014 at 04:44:30PM -0500, Dmitri Pal wrote:
On 02/17/2014 10:51 PM, barry...@gmail.com wrote:
>Is it possible to set allow password to send to user after user request.
>I used one of the self password service pwm but it seem it is not
>compatible to retriveal of password
>using cert request / Answer and questions retrieval

Passwords can't be sent to the user. You can using administrative
account set a new password (i.e. do an admin reset) and send it to
the user but then user will be asked to change it on the first

Since I've heard the requirement for no password change forced on user
upon their first login from multiple sides, I wonder if the current
behaviour stems from some technical reason or if it's just a security
approach which the FreeIPA admins should be able to override.
There is no such thing as 'just' when taking security seriously, sorry.

Any change of the password by someone other than the owner of it taints
the password. Administrator setting the password taints it because what
is known to more than one party cannot be considered secret anymore.

If certain organization policy needs to override this, a sequence like

$ kinit admin
$ echo "nimda$NEWPASSWORD" | ipa passwd user
$ echo -e "nimda$NEWPASSWORD\n$NEWPASSWORD\n$NEWPASSWORD" | kpasswd user

would set $NEWPASSWORD for the user. You can certainly script it but I'd
recommend think seriously how well this goes with data security regulations
an organization could be subject to.
/ Alexander Bokovoy

Freeipa-users mailing list

Reply via email to