Stijn De Weirdt wrote:
hi all,

i'm trying to limit the minimum and maximum lifetime of passwords (in
particular the random password when a host is added; but i guess this
more general).

(i'm using ipa 3.0 from el6 and also looking at 3.3 from rhel7 beta, but
the relevant code seems the same or at least very similar)

i'm currently adding the host first via the api and then setting the
random password with host_mod like

api.Command.host_add(u''+host)
api.Command.host_mod(u''+host,random=True)

(for some reason, this is what is needed on 3.0; anyway, that's not my
issue)

is there a way that i can change it easily somehow afterwards (preferred
way) or can i create and use a custom pwpolicy class that sets my
preferred defaults (min 1 minute, max 20 minutes); or do i monkeypatch
the whole class (assuming that pwpolicy_add is called on the user side,
not on the server side).

all tips are welcome.

You can only specify password policy for User Groups, not host groups, so there is no way to do this currently. It also isn't that fine-grained. The minimum lifetime is 1 hour, the minimum of the maximum lifetime is 1 day.

I don't see why support for Host Groups (and therefore Hosts) can't be added. I'm not 100% sure about the tuning for min/max lifetime but it should be possible. AFAIR we convert the values from seconds to hours and days.

Can you file a ticket at https://fedorahosted.org/freeipa/newticket ?

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to