On Wed, May 04, 2016 at 04:16:38PM +0200, Martin Kosek wrote:
> On 05/03/2016 08:20 AM, Rakesh Rajasekharan wrote:
> > Hi,
> > 
> > I am running a freeipa server 4.2.x.
> > 
> > I have the following password global password policy set to force a history 
> > of 3
> > 
> > ipa pwpolicy-mod global_policy --history=3 --maxlife=90 --minlength=8 
> > --maxfail=3 --failinterval=300
> > 
> > 
> > This works good when the user himself changes the password.. and IPA does 
> > not 
> > allow reusing older password.
> > 
> > However, if the admin resets it "ipa user-mod testuser --random" then it 
> > seems 
> > to reset the password history as well and the user can now re-use his older 
> > password
> > 
> > Is this expected or is there something I can do about it.
> 
> Good question, CCing Simo on this one.
> 
> > Also, is there a way to get the password expiry warning at the terminal 
> > when a 
> > user logs in , something similar to the "pwdExpireWarning" in ldap.
> > 
> > I searched a bit and could only find setting up email alerts .

Some more warnings are displayed when you bump the pam_verbosity option,
see man sssd.conf. I'm not sure if the expiry warning is one of them. If
not, feel free to file a bug.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to