On 08/28/2014 04:18 PM, Zip Ly wrote: > Hi, > > > I'm trying to change a user password without reset. > If I use the (primary) admin to change the password then it doesn't need a > password reset, because the expire lifetime is 90 days.
This is strange. Did you by any chance added this admin's account DN to passSyncManagersDNs setting in ipa_pwd_extop plugin? http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/pass-sync.html#password-sync > But if I create a second admin, then every password change made by the > second admin needs a password reset, because the password is expired > immediately. Right, this is done on purpose: http://www.freeipa.org/page/New_Passwords_Expired > 1a) Does anyone knows how I can change the policy/privilege of the second > admin so every password change doesn't require a reset? See docs link above. But note it is a hack and we discourage it for reasons written in the wiki link above. > 1b) and is it > possible to set a different expire lifetime like zero for unlimited > lifetime? No (for security reasons). > > It's almost the same bugreport as > https://fedorahosted.org/freeipa/ticket/2795 but the difference is there > should be 2 policies: one for changing your own password and another for > resetting other users password. Administrative password change is only subject to max password life time part of the password policy AFAIR. Thus it already uses 2 different standards for these password changes (e.g. password length is not enforced for administrative password change). > 2) Are there more differences in policies between the first (primary) admin > and the second admin you just created? There should not be. All members of admins groups should be equal in rights. Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project