Ernedin Zajko wrote:
Hi Anton,

maybe you can "talk" directly to ds:
http://directory.fedoraproject.org/docs/389ds/FAQ/password-syntax.html
regards,

That won't work. IPA re-implements password policy because it is baked into 389-ds and not plugable or extensible.

There are some open tickets for enhancing IPA password policies but other features have taken precedence thus far:

https://fedorahosted.org/freeipa/ticket/2445
https://fedorahosted.org/freeipa/ticket/5948

rob


--- Ernedin ZAJKO
  eza...@root.ba

340282366920938463463374607431768211456



On Thu, Oct 13, 2016 at 1:53 AM, Anon Lister <listera...@gmail.com> wrote:
Unfortunately, policy and regulation often lag behind current theory by
several decades. For what it's worth, I'd second being able to set more
complicated policies as a useful feature.


On Oct 12, 2016 6:38 PM, "Simpson Lachlan" <lachlan.simp...@petermac.org>
wrote:

-----Original Message-----
From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-
boun...@redhat.com] On Behalf Of Bennett, Chip
Sent: Thursday, 13 October 2016 7:21 AM
To: Florence Blanc-Renaud; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Password Complexity Requirements Seems
Insufficient

Flo,

Thanks for getting back to me.  I had seen this in the documentation.
I was just
hoping that I was missing something.   I guess I'm just surprised that a
product
designed to manage authentication wouldn't have a way to be more
specific in the
complexity requirements.


I don't know. Those type of complexity requirements are multifaceted,
complex and somewhat arbitrary. Given that each then requires regex, I'm
quite happy that the devs focus on getting other aspects of FreeIPA to work
over password complexity.

As xkcd noted a couple of years ago, password length is better for
security than anything else.

Complex arrangements of different character classes is neither human or UX
friendly nor where contemporary security theory is focused - try 2FA,
public/private keys, etc. While I understand that large organisations have
policy that often drags well behind contemporary theory, I don't think it's
fair to expect software to also allow for that.

Cheers
L.







Thanks again!
Chip

-----Original Message-----
From: Florence Blanc-Renaud [mailto:f...@redhat.com]
Sent: Wednesday, October 12, 2016 3:18 PM
To: Bennett, Chip <cbenn...@ftdi.com>; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Password Complexity Requirements Seems
Insufficient

On 10/11/2016 07:36 PM, Bennett, Chip wrote:
I just joined this list, so if this question has been asked before
(and I'll bet it has), I apologize in advance.



A google search was unrevealing, so I'm asking here: we're running
FreeIPA Version 3.0.0 on CentOS 6.6.   It looks like the password
complexity requirements are limited to setting the number of character
classes to require, i.e. setting it to "2" would require your new
password to be any two of the character classes.



What if you wanted new passwords to meet specific class requirements,
i.e. a mix of UL, LC, and numbers.  It looks like you would use a
value of "3" to accomplish this, but that would also allow UC, LC, and
special, or LC, numbers, and special, but you don't want to allow the
those:  how would you specify that?

Hi,

as far as I know, it is only possible to specify the number of different
character
classes. The doc chapter "Creating Password Policies in the Web UI" [1]
describes
the following:
---
Character classes sets the number of different categories of character
that must be
used in the password. This does not set which classes must be used; it
sets the
number of different (unspecified) classes which must be used in a
password. For
example, a character class can be a number, special character, or
capital; the
complete list of categories is in Table 22.1, "Password Policy
Settings". This is part
of setting the complexity requirements.
---

hope this clarifies,
Flo

[1]
https://access.redhat.com/documentation/en-

US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_

Policy_Guide/Setting_Different_Password_Policies_for_Different_User_Groups.ht
ml#creating-group-policy-ui




Also, what if you had a requirement for more than one of the character
classes, i.e. you want to require two UC characters or two special
characters?



Thanks in advance for the help,

Chip Bennett




This message is solely for the intended recipient(s) and may contain
confidential and privileged information. Any unauthorized review, use,
disclosure or distribution is prohibited.




This message is solely for the intended recipient(s) and may contain
confidential
and privileged information.
Any unauthorized review, use, disclosure or distribution is prohibited.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
This email (including any attachments or links) may contain
confidential and/or legally privileged information and is
intended only to be read or used by the addressee.  If you
are not the intended addressee, any use, distribution,
disclosure or copying of this email is strictly
prohibited.
Confidentiality and legal privilege attached to this email
(including any attachments) are not waived or lost by
reason of its mistaken delivery to you.
If you have received this email in error, please delete it
and notify us immediately by telephone or email.  Peter
MacCallum Cancer Centre provides no guarantee that this
transmission is free of virus or that it has not been
intercepted or altered and will not be liable for any delay
in its receipt.


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to