Hi Dmitri, No I am sticking to the 90 day, gotta start the change in the right direction somewhere :).
So I am trying out LBT Self service password, and I am wondering if there is documentation anywhere on how to create a service style account that has the ability to change a password without forcing the user to reset thier password on next login. This would be for if a user forgets thier password and uses a mail token style auth. Thanks, Bill On 5/13/15 5:28 PM, Dmitri Pal wrote: > On 05/13/2015 08:18 PM, William Graboyes wrote: > > Hi Dmitri, > > > > That is quite a bucket of stuff... On the CA-less install, basically I > > don't want to have my users change their passwords again (they are > > complaining about the every 90 day password rotation policy), we do > > not have an internal CA, most of our "desk top support" folks don't > > even have access to all of the desktops in the place. Like I said > > this place is mind bending when it comes to standard practices. The > > CA-less would be good if it were possible to make that change in > > place, or make the change by standing up a new IPA server and having > > the ability to import the current data set. > > > > I was looking at PWM, and may try to get that implemented. > > Another option is to reset expiration time in the user entry and set it > some date close to 2038 which is the end of the 32-bit time. > If the problem is 90 day policy you can just change the policy to be > 5000 days and then next time people change password they would not be > bother for another 5000 days or so (make sure it does not roll over). > For people that already have 90 days in their entry you can run a script > once and move the date into the future. > > People have done it for the same reason and in the same way. > > > > > Thanks, > > Bill > > > > On 5/13/15 5:00 PM, Dmitri Pal wrote: > >> On 05/13/2015 07:40 PM, William Graboyes wrote: > >>> -----BEGIN PGP SIGNED MESSAGE----- > >>> Hash: SHA512 > >>> > >>> Hi List, > >>> > >>> I am trying to figure out a method of allowing users who do not have > >>> shell access to change their own passwords. The GUI that comes with > >>> FreeIPA is out of the question due to the untrusted CA (yes I know we > >>> are a strange shop, there is nothing I can do about it, and you would > >>> want to gouge you eyes out if I told you the full story) becoming a > >>> "Bad habit forming" method of changing one's password. I have been > >>> looking around for about a week now, and am somewhat lost and > >>> perplexed. The old documentation for FreeIPA basically says that it is > >>> not a good idea to manipulate the password directly in LDAP (and even > >>> then finding what hash is being used has been next to impossible). > >>> > >>> So the question is this, does anyone know of any tools out there that > >>> can happily, or even with some modification, allow me to set up a > >>> trusted external ssl site that allows users to change their passwords. > >> There is no external password reset self service in IPA yet. We will be > >> starting to look into this effort during summer. > >> Take a look at the bucket of tickets in the "FreeIPA Community Portal > >> Release" here https://fedorahosted.org/freeipa/report/3. > >> > >> What prevents you from making IPA trusted? You can chain IPA to your CA > >> or use it CA-less with certs from your own CA. > >> Then UI would be an option I assume. > >> > >> Other option is https://code.google.com/p/pwm/ > >> > >>> Thanks, > >>> Bill > >>> -----BEGIN PGP SIGNATURE----- > >>> Version: GnuPG/MacGPG2 v2.0.22 (Darwin) > >>> Comment: GPGTools - https://gpgtools.org > >>> > >>> iQIcBAEBCgAGBQJVU+DdAAoJEJFMz73A1+zryTIP/1dLBYfMwSNkvICW8PToUkD6 > >>> MCQQt+yGblI2gqZiVm2NCHD4Lto4sDUJSdnQF++kcuCTd0u4P5twFR/LejIAa/Jc > >>> bKCO7XSmfBEh/+ArVeUBSsoBec2V0h6x3i98mChD55DzuRJj4HiIxGgM1KdeAgaV > >>> UdwI9wQEKOUCyHZyDVdEk/g+X1QMnNBPUXhdEiHtAkbqkxSan01iw2k1mGjfIOWU > >>> NfOThdj7K9vE18YIKuJ7L/uztvNyAaj+ZsR1uKayYxlpgMalUJDHW1u3gX2MPELm > >>> zpDWVj7mR0iZ78AJlSG0J7+ughBMq5jarlzdCYTHmFqe0dszmafDAdxIBKmWw+IW > >>> /BXIMDTR/CjoPW4D65fewEcqIVrODDft6GNDg7aYa0dF8eiOjQM3wNUVjmgBESBK > >>> ztcGuFID+bl96+GABuSo9OFS36/dKskhGK125gvpEgU8pWM4+POQDtWlHjFHw5Ml > >>> 1ZCZHxrQOp/drolh50uMTl6QrZSKt0U3Kikw+zzj5itAEtbhVrnfw7nvJHlhPsy/ > >>> 7CG2WMv/iwXzif+ogSN6ClkOxSTqHftS2BW9uMP7meLNK0tRiCtTVSXSXIizTR96 > >>> ZbCb9zbETfHYj2KE3nLeKAeycaN15+8NK1YgVYEh+ZqbsgdFgD6src6X/NP3v3dX > >>> kzyr3+tqYdDbgibcYyhd > >>> =5KCr > >>> -----END PGP SIGNATURE----- > >>> > >> > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project