I have read this page http://www.freeipa.org/page/New_Passwords_Expired Aside from the fact that the decision should have been left to the company and their policies, and violates the tenant that software should have sane defaults while leaving flexibility to the user, I'm wondering if you can help me.
We have a situation where the passwords in FreeIPA need to be synchronized with another system in the company (a database of users, which is the authoritative source for users and passwords). But, from what I read, the documentation is telling me we can't do that, because if we followed this work flow: 1. Users goes to "master DB" and changes their password 2. master DB runs a script which sets password on FreeIPA system 3. User's login is now broken because the password is expired. It is really unfortunate that this design decision was made, because 1. It prevents FreeIPA from being integrated with existing systems (telling people, effectively, you have to use FreeIPA for EVERYTHING or you can't use us at all) 2. It doesn't really improve security as claimed, because if the user's new password is intercepted, the interceptor can use that password to login and change the expired password, still giving access. Is there a way around this? Is there a password synchronization protocol that can be used to link up systems that need to have common logins? Thanks for any help you can offer! j -- Joshua J. Kugler -- Fairbanks, AK Blogs: http://jjncj.com/blog/ (Family) -- http://joshuakugler.com (Geek) Every knee shall bow, and every tongue confess, in heaven, on earth, and under the earth, that Jesus Christ is LORD -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project