@Martin The second admin is my service account. I use this account to communicate with our webapplication (it uses keytab and post/curl json to ipa). I can add users without a problem. But when it comes to changing password, the password is expired immediately.
I have only one password policy and that's the 'global_policy'. The --maxlife you mentioned only affect this policy. If I use this service account to change the user password, the policy is ignored just as stated in the ipa wiki. Even if I set the --maxlife to 200, if the password is being resetted by this first admin, then the expire date is set to 90 days or expired immediately by the second admin/service account. That's why I want to know how to change this 90 days and also apply it for the service account. On Mon, Sep 1, 2014 at 1:06 PM, Martin Kosek <mko...@redhat.com> wrote: > On 08/29/2014 10:21 AM, Zip Ly wrote: > > @Martin > > 1) Yes, I did executed 8.5.3 from the wiki. Is this is reason for the > > systems behaviour? > > Yes. > > > if so why doesnt't it applies for both admins? > > Because only a DN of the first admin was added. It applies only to objects > bound with this DN then. > > > And it > > doesn't explain the 90 days, because it is not set in the tutorial. > > 90 days is the password policy defined password maximum life. You can check > with "ipa pwpolicy-show [group]". This value is not defined in > "cn=ipa_pwd_extop,cn=plugins,cn=config", thus not present in the docs. > > > Unless > > some params are left out of the wiki for some reason. I'm using windows > > LDAP admin tool to browse the LDAP tree, but couln't find this > param/value > > so I wasn't sure if the new setting is being used. I did get a > confirmation > > while executing the change. > > To set the the max password life, use "ipa pwpolicy-mod --maxlife $LIFE" > command (or Web UI). > > > > > @Dimitri > > 1) Yes, there are no problems with changing your own password. There is > > only something strange with the expiration lifetime when you are changing > > other users (admin or non-admin) password. The expiration lifetime of a > > password reset should be equal to BOTH admins like expired immediately, > 90 > > days or the value that is set in the password policy. I prefer the value > in > > a password policy, because this way I have it more under control. > > > > @Martin & @Will > > 1b) Ok, I'm afraid you may say that. Most free clients like gmail, > hotmail, > > ebay, paypal doesn't require a password reset from time to time (yes they > > may have set a very high value). So I was wondering why it isn't > possible. > > I know it's bad for security, but still. > > I think the solution is to: > > 1) Change the password policy to a very high value (even in years), as Will > suggested in this thread. > > 2) Use service accounts (service-add) with keytabs for services which do > not > need to change their passwords, given they authenticate with keytab which > does > not suffer from password complexity issues. > > 3) Contribute to FreeIPA and make --maxlife 0 or similar mean unlimited > validity (https://fedorahosted.org/freeipa/ticket/2795) :-) > > > > On Thu, Aug 28, 2014 at 6:18 PM, Dmitri Pal <d...@redhat.com> wrote: > > > >> On 08/28/2014 04:18 PM, Zip Ly wrote: > >> > >> Hi, > >> > >> > >> I'm trying to change a user password without reset. > >> If I use the (primary) admin to change the password then it doesn't > need a > >> password reset, because the expire lifetime is 90 days. > >> > >> But if I create a second admin, then every password change made by the > >> second admin needs a password reset, because the password is expired > >> immediately. > >> > >> 1a) Does anyone knows how I can change the policy/privilege of the > >> second admin so every password change doesn't require a reset? 1b) and > is > >> it possible to set a different expire lifetime like zero for unlimited > >> lifetime? > >> > >> > >> You are probably changing password for the admin himself. > >> Isn't there a different flow when admin changes his own password? > >> > >> > >> > >> It's almost the same bugreport as > >> https://fedorahosted.org/freeipa/ticket/2795 but the difference is > there > >> should be 2 policies: one for changing your own password and another for > >> resetting other users password. > >> > >> > >> 2) Are there more differences in policies between the first (primary) > >> admin and the second admin you just created? > >> > >> > >> Kind regards, > >> > >> Zip > >> > >> > >> > >> > >> > >> > >> > >> -- > >> Thank you, > >> Dmitri Pal > >> > >> Sr. Engineering Manager IdM portfolio > >> Red Hat, Inc. > >> > >> > >> -- > >> Manage your subscription for the Freeipa-users mailing list: > >> https://www.redhat.com/mailman/listinfo/freeipa-users > >> Go To http://freeipa.org for more info on the project > >> > > > > > > > >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
