On Fri, 27 Mar 2015, Janelle wrote:


Hi all,

Found an odd issue and a question.  If you change user pw with "ipa
user-mod -password" and the client is configured for LDAP, then the
user is not forced to change the pw on initial login.
We have three different cases depending on who changes userPassword
attribute in LDAP:

1. cn=Directory Manager can change anything and it doesn't taint the
userPassword.

2. A user can change own password and it doesn't taint the userPassword
attribute.

3. Any other identity that can change a password will taint userPassword
attribute.

If you change user password with "ipa user-mod --password" the question
should be "who are you?" and the answer to that question drives the
tainting logic described above.

However, my other question is, can you set a user pw WITHOUT
pre-expiring?!
cn=Directory manager is the one who can but directly in LDAP as you
cannot authenticate as 'cn=Directory manager' using IPA tools.

If you are insisting on lowering security of your passwords, nothing
prevents you from changing user password to some value as admin user
first and then setting it as that user to a correct value. We don't
recommend to do so but you have means already to ignore our
recommendations.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to