On 08/28/2014 04:18 PM, Zip Ly wrote:
> Hi,
> 
> 
> I'm trying to change a user password without reset.
> If I use the (primary) admin to change the password then it doesn't need a
> password reset, because the expire lifetime is 90 days.

This is strange. Did you by any chance added this admin's account DN to
passSyncManagersDNs setting in ipa_pwd_extop plugin?

http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/pass-sync.html#password-sync

> But if I create a second admin, then every password change made by the
> second admin needs a password reset, because the password is expired
> immediately.

Right, this is done on purpose:
http://www.freeipa.org/page/New_Passwords_Expired

> 1a) Does anyone knows how I can change the policy/privilege of the second
> admin so every password change doesn't require a reset?

See docs link above. But note it is a hack and we discourage it for reasons
written in the wiki link above.

> 1b) and is it
> possible to set a different expire lifetime like zero for unlimited
> lifetime?

No (for security reasons).

> 
> It's almost the same bugreport as
> https://fedorahosted.org/freeipa/ticket/2795 but the difference is there
> should be 2 policies: one for changing your own password and another for
> resetting other users password.

Administrative password change is only subject to max password life time part
of the password policy AFAIR. Thus it already uses 2 different standards for
these password changes (e.g. password length is not enforced for administrative
password change).

> 2) Are there more differences in policies between the first (primary) admin
> and the second admin you just created?

There should not be. All members of admins groups should be equal in rights.

Martin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to