On Fri, 27 Mar 2015, Janelle wrote:
Hi all, Found an odd issue and a question. If you change user pw with "ipa user-mod -password" and the client is configured for LDAP, then the user is not forced to change the pw on initial login.
We have three different cases depending on who changes userPassword attribute in LDAP: 1. cn=Directory Manager can change anything and it doesn't taint the userPassword. 2. A user can change own password and it doesn't taint the userPassword attribute. 3. Any other identity that can change a password will taint userPassword attribute. If you change user password with "ipa user-mod --password" the question should be "who are you?" and the answer to that question drives the tainting logic described above.
However, my other question is, can you set a user pw WITHOUT pre-expiring?!
cn=Directory manager is the one who can but directly in LDAP as you cannot authenticate as 'cn=Directory manager' using IPA tools. If you are insisting on lowering security of your passwords, nothing prevents you from changing user password to some value as admin user first and then setting it as that user to a correct value. We don't recommend to do so but you have means already to ignore our recommendations. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
