On 08/28/2014 04:18 PM, Zip Ly wrote:
> I'm trying to change a user password without reset.
> If I use the (primary) admin to change the password then it doesn't need a
> password reset, because the expire lifetime is 90 days.
This is strange. Did you by any chance added this admin's account DN to
passSyncManagersDNs setting in ipa_pwd_extop plugin?
> But if I create a second admin, then every password change made by the
> second admin needs a password reset, because the password is expired
Right, this is done on purpose:
> 1a) Does anyone knows how I can change the policy/privilege of the second
> admin so every password change doesn't require a reset?
See docs link above. But note it is a hack and we discourage it for reasons
written in the wiki link above.
> 1b) and is it
> possible to set a different expire lifetime like zero for unlimited
No (for security reasons).
> It's almost the same bugreport as
> https://fedorahosted.org/freeipa/ticket/2795 but the difference is there
> should be 2 policies: one for changing your own password and another for
> resetting other users password.
Administrative password change is only subject to max password life time part
of the password policy AFAIR. Thus it already uses 2 different standards for
these password changes (e.g. password length is not enforced for administrative
> 2) Are there more differences in policies between the first (primary) admin
> and the second admin you just created?
There should not be. All members of admins groups should be equal in rights.
Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project