@Martin 1) Yes, I did executed 8.5.3 from the wiki. Is this is reason for the systems behaviour? if so why doesnt't it applies for both admins? And it doesn't explain the 90 days, because it is not set in the tutorial. Unless some params are left out of the wiki for some reason. I'm using windows LDAP admin tool to browse the LDAP tree, but couln't find this param/value so I wasn't sure if the new setting is being used. I did get a confirmation while executing the change.
@Dimitri 1) Yes, there are no problems with changing your own password. There is only something strange with the expiration lifetime when you are changing other users (admin or non-admin) password. The expiration lifetime of a password reset should be equal to BOTH admins like expired immediately, 90 days or the value that is set in the password policy. I prefer the value in a password policy, because this way I have it more under control. @Martin & @Will 1b) Ok, I'm afraid you may say that. Most free clients like gmail, hotmail, ebay, paypal doesn't require a password reset from time to time (yes they may have set a very high value). So I was wondering why it isn't possible. I know it's bad for security, but still. On Thu, Aug 28, 2014 at 6:18 PM, Dmitri Pal <d...@redhat.com> wrote: > On 08/28/2014 04:18 PM, Zip Ly wrote: > > Hi, > > > I'm trying to change a user password without reset. > If I use the (primary) admin to change the password then it doesn't need a > password reset, because the expire lifetime is 90 days. > > But if I create a second admin, then every password change made by the > second admin needs a password reset, because the password is expired > immediately. > > 1a) Does anyone knows how I can change the policy/privilege of the > second admin so every password change doesn't require a reset? 1b) and is > it possible to set a different expire lifetime like zero for unlimited > lifetime? > > > You are probably changing password for the admin himself. > Isn't there a different flow when admin changes his own password? > > > > It's almost the same bugreport as > https://fedorahosted.org/freeipa/ticket/2795 but the difference is there > should be 2 policies: one for changing your own password and another for > resetting other users password. > > > 2) Are there more differences in policies between the first (primary) > admin and the second admin you just created? > > > Kind regards, > > Zip > > > > > > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IdM portfolio > Red Hat, Inc. > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project