Re: [Freeipa-devel] [PATCH 0559] Increase default length of auto-generated passwords
On 29.07.2016 18:19, Alexander Bokovoy wrote:
On Fri, 29 Jul 2016, Martin Basti wrote:
On 29.07.2016 17:09, Alexander Bokovoy wrote:
> On Fri, 29 Jul 2016, Martin Basti wrote:
> > https://fedorahosted.org/freeipa/ticket/6116
> > > > > > Patch attached
> > > > > From ca5305e032137b7c9197d0c1050191079a72124e Mon Sep 17
00:00:00 2001
> > From: Martin Basti
> > Date: Fri, 22 Jul 2016 16:41:29 +0200
> > Subject: [PATCH] Increase default length of auto generated passwords
> > > > Installer/IPA generates passwords for warious purpose:
> > * KRA
> > * kerberos master key
> > * NSSDB password
> > * temporary passwords during installation
> > > > Length of passwords should be increased to 22, ~128bits of
entropy, to
> > be safe nowadays.
> > > > https://fedorahosted.org/freeipa/ticket/6116
> ACK with a minor comment.
> > > ---
> > ipapython/ipautil.py | 2 +-
> > ipaserver/plugins/baseuser.py | 3 ++-
> > ipaserver/plugins/host.py | 3 ++-
> > ipaserver/plugins/stageuser.py | 3 ++-
> > ipaserver/plugins/user.py | 3 ++-
> > 5 files changed, 9 insertions(+), 5 deletions(-)
> > > > diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
> > index
9964fba4f694b57242b3bd3065a418917d977533..ca7e81d666cd6c345bdbbf4660c3451ac1f2c045
> > 100644
> > --- a/ipapython/ipautil.py
> > +++ b/ipapython/ipautil.py
> > @@ -57,7 +57,7 @@ from ipapython.dn import DN
> > SHARE_DIR = paths.USR_SHARE_IPA_DIR
> > PLUGINS_SHARE_DIR = paths.IPA_PLUGINS
> > > > -GEN_PWD_LEN = 12
> > +GEN_PWD_LEN = 22
> It would be good to add a temporary password constant too
> +GEN_TMP_PWD_LEN = 12
> > and then use it instead of pwd_len=12 below.
> > > # Having this in krb_utils would cause circular import
> > KRB5_KDC_UNREACH = 2529639068 # Cannot contact any KDC for
requested > > realm
> > diff --git a/ipaserver/plugins/baseuser.py > >
b/ipaserver/plugins/baseuser.py
> > index
e4288a5a131157815ffb2452692a7edb342f6ac3..5e0752c8d3d246fa7c283f05b82ef01de2e5bf34
> > 100644
> > --- a/ipaserver/plugins/baseuser.py
> > +++ b/ipaserver/plugins/baseuser.py
> > @@ -552,7 +552,8 @@ class baseuser_mod(LDAPUpdate):
> > > > def check_userpassword(self, entry_attrs, **options):
> > if 'userpassword' not in entry_attrs and
options.get('random'):
> > -entry_attrs['userpassword'] = > >
ipa_generate_password(baseuser_pwdchars)
> > +entry_attrs['userpassword'] = ipa_generate_password(
> > +baseuser_pwdchars, pwd_len=12)
> > # save the password so it can be displayed in
post_callback
> > setattr(context, 'randompassword', > >
entry_attrs['userpassword'])
> > > > diff --git a/ipaserver/plugins/host.py
b/ipaserver/plugins/host.py
> > index
413dcf15e0423170d8334902b9dcf8fb5aa14de6..1cefb6224e1a6dad0080369edee35c4524e5bd39
> > 100644
> > --- a/ipaserver/plugins/host.py
> > +++ b/ipaserver/plugins/host.py
> > @@ -683,7 +683,8 @@ class host_add(LDAPCreate):
> > if 'krbprincipal' in entry_attrs['objectclass']:
> > entry_attrs['objectclass'].remove('krbprincipal')
> > if options.get('random'):
> > -entry_attrs['userpassword'] = > >
ipa_generate_password(characters=host_pwd_chars)
> > +entry_attrs['userpassword'] = ipa_generate_password(
> > +characters=host_pwd_chars, pwd_len=12)
> > # save the password so it can be displayed in
post_callback
> > setattr(context, 'randompassword', > >
entry_attrs['userpassword'])
> > certs = options.get('usercertificate', [])
> > diff --git a/ipaserver/plugins/stageuser.py > >
b/ipaserver/plugins/stageuser.py
> > index
3b9388f6020b9a6c40caedd36f3640a05a13da65..6df189c3913171b4990ce115b296b19c7447592d
> > 100644
> > --- a/ipaserver/plugins/stageuser.py
> > +++ b/ipaserver/plugins/stageuser.py
> > @@ -339,7 +339,8 @@ class stageuser_add(baseuser_add):
> > > > # If requested, generate a userpassword
> > if 'userpassword' not in entry_attrs and
options.get('random'):
> > -entry_attrs['userpassword'] = > >
ipa_generate_password(baseuser_pwdchars)
> > +entry_attrs['userpassword'] = ipa_generate_password(
> > +baseuser_pwdchars, pwd_len=12)
> > # save the password so it can be displayed in
post_callback
> > setattr(context, 'randompassword', > >
entry_attrs['userpassword'])
> > > > diff --git a/ipaserver/plugins/user.py
b/ipaserver/plugins/user.py
> > index
b3ae7646fdcfa1dce10d90063dae2a24c091e8ee..62ec529062c7ac39661df2a8c3d2277711268b11
> > 100644
> > --- a/ipaserver/plugins/user.py
> > +++ b/ipaserver/plugins/user.py
> > @@ -517,7 +517,8 @@ class user_add(baseuser_add):
> > entry_attrs['gidnumber'] = group_attrs['gidnumber']
> > > > if 'userpassword' not in entry_attrs and
options.get('random'):
> > -entry_attrs['userpassword'] = > >
ipa_generate_password(baseuser_pwdchars)
> > +entry_attrs['userpa
Re: [Freeipa-devel] [PATCH 0559] Increase default length of auto-generated passwords
On Fri, 29 Jul 2016, Martin Basti wrote:
On 29.07.2016 17:09, Alexander Bokovoy wrote:
> On Fri, 29 Jul 2016, Martin Basti wrote:
> > https://fedorahosted.org/freeipa/ticket/6116
> >
> >
> > Patch attached
> >
>
> > From ca5305e032137b7c9197d0c1050191079a72124e Mon Sep 17 00:00:00 2001
> > From: Martin Basti
> > Date: Fri, 22 Jul 2016 16:41:29 +0200
> > Subject: [PATCH] Increase default length of auto generated passwords
> >
> > Installer/IPA generates passwords for warious purpose:
> > * KRA
> > * kerberos master key
> > * NSSDB password
> > * temporary passwords during installation
> >
> > Length of passwords should be increased to 22, ~128bits of entropy, to
> > be safe nowadays.
> >
> > https://fedorahosted.org/freeipa/ticket/6116
> ACK with a minor comment.
>
> > ---
> > ipapython/ipautil.py | 2 +-
> > ipaserver/plugins/baseuser.py | 3 ++-
> > ipaserver/plugins/host.py | 3 ++-
> > ipaserver/plugins/stageuser.py | 3 ++-
> > ipaserver/plugins/user.py | 3 ++-
> > 5 files changed, 9 insertions(+), 5 deletions(-)
> >
> > diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
> > index 9964fba4f694b57242b3bd3065a418917d977533..ca7e81d666cd6c345bdbbf4660c3451ac1f2c045
> > 100644
> > --- a/ipapython/ipautil.py
> > +++ b/ipapython/ipautil.py
> > @@ -57,7 +57,7 @@ from ipapython.dn import DN
> > SHARE_DIR = paths.USR_SHARE_IPA_DIR
> > PLUGINS_SHARE_DIR = paths.IPA_PLUGINS
> >
> > -GEN_PWD_LEN = 12
> > +GEN_PWD_LEN = 22
> It would be good to add a temporary password constant too
> +GEN_TMP_PWD_LEN = 12
>
> and then use it instead of pwd_len=12 below.
>
> > # Having this in krb_utils would cause circular import
> > KRB5_KDC_UNREACH = 2529639068 # Cannot contact any KDC for requested
> > realm
> > diff --git a/ipaserver/plugins/baseuser.py
> > b/ipaserver/plugins/baseuser.py
> > index e4288a5a131157815ffb2452692a7edb342f6ac3..5e0752c8d3d246fa7c283f05b82ef01de2e5bf34
> > 100644
> > --- a/ipaserver/plugins/baseuser.py
> > +++ b/ipaserver/plugins/baseuser.py
> > @@ -552,7 +552,8 @@ class baseuser_mod(LDAPUpdate):
> >
> > def check_userpassword(self, entry_attrs, **options):
> > if 'userpassword' not in entry_attrs and options.get('random'):
> > -entry_attrs['userpassword'] =
> > ipa_generate_password(baseuser_pwdchars)
> > +entry_attrs['userpassword'] = ipa_generate_password(
> > +baseuser_pwdchars, pwd_len=12)
> > # save the password so it can be displayed in post_callback
> > setattr(context, 'randompassword',
> > entry_attrs['userpassword'])
> >
> > diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py
> > index 413dcf15e0423170d8334902b9dcf8fb5aa14de6..1cefb6224e1a6dad0080369edee35c4524e5bd39
> > 100644
> > --- a/ipaserver/plugins/host.py
> > +++ b/ipaserver/plugins/host.py
> > @@ -683,7 +683,8 @@ class host_add(LDAPCreate):
> > if 'krbprincipal' in entry_attrs['objectclass']:
> > entry_attrs['objectclass'].remove('krbprincipal')
> > if options.get('random'):
> > -entry_attrs['userpassword'] =
> > ipa_generate_password(characters=host_pwd_chars)
> > +entry_attrs['userpassword'] = ipa_generate_password(
> > +characters=host_pwd_chars, pwd_len=12)
> > # save the password so it can be displayed in post_callback
> > setattr(context, 'randompassword',
> > entry_attrs['userpassword'])
> > certs = options.get('usercertificate', [])
> > diff --git a/ipaserver/plugins/stageuser.py
> > b/ipaserver/plugins/stageuser.py
> > index 3b9388f6020b9a6c40caedd36f3640a05a13da65..6df189c3913171b4990ce115b296b19c7447592d
> > 100644
> > --- a/ipaserver/plugins/stageuser.py
> > +++ b/ipaserver/plugins/stageuser.py
> > @@ -339,7 +339,8 @@ class stageuser_add(baseuser_add):
> >
> > # If requested, generate a userpassword
> > if 'userpassword' not in entry_attrs and options.get('random'):
> > -entry_attrs['userpassword'] =
> > ipa_generate_password(baseuser_pwdchars)
> > +entry_attrs['userpassword'] = ipa_generate_password(
> > +baseuser_pwdchars, pwd_len=12)
> > # save the password so it can be displayed in post_callback
> > setattr(context, 'randompassword',
> > entry_attrs['userpassword'])
> >
> > diff --git a/ipaserver/plugins/user.py b/ipaserver/plugins/user.py
> > index b3ae7646fdcfa1dce10d90063dae2a24c091e8ee..62ec529062c7ac39661df2a8c3d2277711268b11
> > 100644
> > --- a/ipaserver/plugins/user.py
> > +++ b/ipaserver/plugins/user.py
> > @@ -517,7 +517,8 @@ class user_add(baseuser_add):
> > entry_attrs['gidnumber'] = group_attrs['gidnumber']
> >
> > if 'userpassword' not in entry_attrs and options.get('random'):
> > -entry_attrs['userpassword'] =
> > ipa_generate_password(baseuser_pwdchars)
> > +entry_attrs['userpassword'] = ipa_generate_password(
> > +
Re: [Freeipa-devel] [PATCH 0559] Increase default length of auto-generated passwords
On 29.07.2016 17:09, Alexander Bokovoy wrote:
On Fri, 29 Jul 2016, Martin Basti wrote:
https://fedorahosted.org/freeipa/ticket/6116
Patch attached
From ca5305e032137b7c9197d0c1050191079a72124e Mon Sep 17 00:00:00 2001
From: Martin Basti
Date: Fri, 22 Jul 2016 16:41:29 +0200
Subject: [PATCH] Increase default length of auto generated passwords
Installer/IPA generates passwords for warious purpose:
* KRA
* kerberos master key
* NSSDB password
* temporary passwords during installation
Length of passwords should be increased to 22, ~128bits of entropy, to
be safe nowadays.
https://fedorahosted.org/freeipa/ticket/6116
ACK with a minor comment.
---
ipapython/ipautil.py | 2 +-
ipaserver/plugins/baseuser.py | 3 ++-
ipaserver/plugins/host.py | 3 ++-
ipaserver/plugins/stageuser.py | 3 ++-
ipaserver/plugins/user.py | 3 ++-
5 files changed, 9 insertions(+), 5 deletions(-)
diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index
9964fba4f694b57242b3bd3065a418917d977533..ca7e81d666cd6c345bdbbf4660c3451ac1f2c045
100644
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -57,7 +57,7 @@ from ipapython.dn import DN
SHARE_DIR = paths.USR_SHARE_IPA_DIR
PLUGINS_SHARE_DIR = paths.IPA_PLUGINS
-GEN_PWD_LEN = 12
+GEN_PWD_LEN = 22
It would be good to add a temporary password constant too
+GEN_TMP_PWD_LEN = 12
and then use it instead of pwd_len=12 below.
# Having this in krb_utils would cause circular import
KRB5_KDC_UNREACH = 2529639068 # Cannot contact any KDC for requested
realm
diff --git a/ipaserver/plugins/baseuser.py
b/ipaserver/plugins/baseuser.py
index
e4288a5a131157815ffb2452692a7edb342f6ac3..5e0752c8d3d246fa7c283f05b82ef01de2e5bf34
100644
--- a/ipaserver/plugins/baseuser.py
+++ b/ipaserver/plugins/baseuser.py
@@ -552,7 +552,8 @@ class baseuser_mod(LDAPUpdate):
def check_userpassword(self, entry_attrs, **options):
if 'userpassword' not in entry_attrs and options.get('random'):
-entry_attrs['userpassword'] =
ipa_generate_password(baseuser_pwdchars)
+entry_attrs['userpassword'] = ipa_generate_password(
+baseuser_pwdchars, pwd_len=12)
# save the password so it can be displayed in post_callback
setattr(context, 'randompassword',
entry_attrs['userpassword'])
diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py
index
413dcf15e0423170d8334902b9dcf8fb5aa14de6..1cefb6224e1a6dad0080369edee35c4524e5bd39
100644
--- a/ipaserver/plugins/host.py
+++ b/ipaserver/plugins/host.py
@@ -683,7 +683,8 @@ class host_add(LDAPCreate):
if 'krbprincipal' in entry_attrs['objectclass']:
entry_attrs['objectclass'].remove('krbprincipal')
if options.get('random'):
-entry_attrs['userpassword'] =
ipa_generate_password(characters=host_pwd_chars)
+entry_attrs['userpassword'] = ipa_generate_password(
+characters=host_pwd_chars, pwd_len=12)
# save the password so it can be displayed in post_callback
setattr(context, 'randompassword',
entry_attrs['userpassword'])
certs = options.get('usercertificate', [])
diff --git a/ipaserver/plugins/stageuser.py
b/ipaserver/plugins/stageuser.py
index
3b9388f6020b9a6c40caedd36f3640a05a13da65..6df189c3913171b4990ce115b296b19c7447592d
100644
--- a/ipaserver/plugins/stageuser.py
+++ b/ipaserver/plugins/stageuser.py
@@ -339,7 +339,8 @@ class stageuser_add(baseuser_add):
# If requested, generate a userpassword
if 'userpassword' not in entry_attrs and options.get('random'):
-entry_attrs['userpassword'] =
ipa_generate_password(baseuser_pwdchars)
+entry_attrs['userpassword'] = ipa_generate_password(
+baseuser_pwdchars, pwd_len=12)
# save the password so it can be displayed in post_callback
setattr(context, 'randompassword',
entry_attrs['userpassword'])
diff --git a/ipaserver/plugins/user.py b/ipaserver/plugins/user.py
index
b3ae7646fdcfa1dce10d90063dae2a24c091e8ee..62ec529062c7ac39661df2a8c3d2277711268b11
100644
--- a/ipaserver/plugins/user.py
+++ b/ipaserver/plugins/user.py
@@ -517,7 +517,8 @@ class user_add(baseuser_add):
entry_attrs['gidnumber'] = group_attrs['gidnumber']
if 'userpassword' not in entry_attrs and options.get('random'):
-entry_attrs['userpassword'] =
ipa_generate_password(baseuser_pwdchars)
+entry_attrs['userpassword'] = ipa_generate_password(
+baseuser_pwdchars, pwd_len=12)
# save the password so it can be displayed in post_callback
setattr(context, 'randompassword',
entry_attrs['userpassword'])
--
2.5.5
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Thanks
Updated patch attached
Martin^2
From 81beb652bc81a8e73876f876507a7dabd338667b M
Re: [Freeipa-devel] [PATCH 0559] Increase default length of auto-generated passwords
On Fri, 29 Jul 2016, Martin Basti wrote:
https://fedorahosted.org/freeipa/ticket/6116
Patch attached
From ca5305e032137b7c9197d0c1050191079a72124e Mon Sep 17 00:00:00 2001
From: Martin Basti
Date: Fri, 22 Jul 2016 16:41:29 +0200
Subject: [PATCH] Increase default length of auto generated passwords
Installer/IPA generates passwords for warious purpose:
* KRA
* kerberos master key
* NSSDB password
* temporary passwords during installation
Length of passwords should be increased to 22, ~128bits of entropy, to
be safe nowadays.
https://fedorahosted.org/freeipa/ticket/6116
ACK with a minor comment.
---
ipapython/ipautil.py | 2 +-
ipaserver/plugins/baseuser.py | 3 ++-
ipaserver/plugins/host.py | 3 ++-
ipaserver/plugins/stageuser.py | 3 ++-
ipaserver/plugins/user.py | 3 ++-
5 files changed, 9 insertions(+), 5 deletions(-)
diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index
9964fba4f694b57242b3bd3065a418917d977533..ca7e81d666cd6c345bdbbf4660c3451ac1f2c045
100644
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -57,7 +57,7 @@ from ipapython.dn import DN
SHARE_DIR = paths.USR_SHARE_IPA_DIR
PLUGINS_SHARE_DIR = paths.IPA_PLUGINS
-GEN_PWD_LEN = 12
+GEN_PWD_LEN = 22
It would be good to add a temporary password constant too
+GEN_TMP_PWD_LEN = 12
and then use it instead of pwd_len=12 below.
# Having this in krb_utils would cause circular import
KRB5_KDC_UNREACH = 2529639068 # Cannot contact any KDC for requested realm
diff --git a/ipaserver/plugins/baseuser.py b/ipaserver/plugins/baseuser.py
index
e4288a5a131157815ffb2452692a7edb342f6ac3..5e0752c8d3d246fa7c283f05b82ef01de2e5bf34
100644
--- a/ipaserver/plugins/baseuser.py
+++ b/ipaserver/plugins/baseuser.py
@@ -552,7 +552,8 @@ class baseuser_mod(LDAPUpdate):
def check_userpassword(self, entry_attrs, **options):
if 'userpassword' not in entry_attrs and options.get('random'):
-entry_attrs['userpassword'] =
ipa_generate_password(baseuser_pwdchars)
+entry_attrs['userpassword'] = ipa_generate_password(
+baseuser_pwdchars, pwd_len=12)
# save the password so it can be displayed in post_callback
setattr(context, 'randompassword', entry_attrs['userpassword'])
diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py
index
413dcf15e0423170d8334902b9dcf8fb5aa14de6..1cefb6224e1a6dad0080369edee35c4524e5bd39
100644
--- a/ipaserver/plugins/host.py
+++ b/ipaserver/plugins/host.py
@@ -683,7 +683,8 @@ class host_add(LDAPCreate):
if 'krbprincipal' in entry_attrs['objectclass']:
entry_attrs['objectclass'].remove('krbprincipal')
if options.get('random'):
-entry_attrs['userpassword'] =
ipa_generate_password(characters=host_pwd_chars)
+entry_attrs['userpassword'] = ipa_generate_password(
+characters=host_pwd_chars, pwd_len=12)
# save the password so it can be displayed in post_callback
setattr(context, 'randompassword', entry_attrs['userpassword'])
certs = options.get('usercertificate', [])
diff --git a/ipaserver/plugins/stageuser.py b/ipaserver/plugins/stageuser.py
index
3b9388f6020b9a6c40caedd36f3640a05a13da65..6df189c3913171b4990ce115b296b19c7447592d
100644
--- a/ipaserver/plugins/stageuser.py
+++ b/ipaserver/plugins/stageuser.py
@@ -339,7 +339,8 @@ class stageuser_add(baseuser_add):
# If requested, generate a userpassword
if 'userpassword' not in entry_attrs and options.get('random'):
-entry_attrs['userpassword'] =
ipa_generate_password(baseuser_pwdchars)
+entry_attrs['userpassword'] = ipa_generate_password(
+baseuser_pwdchars, pwd_len=12)
# save the password so it can be displayed in post_callback
setattr(context, 'randompassword', entry_attrs['userpassword'])
diff --git a/ipaserver/plugins/user.py b/ipaserver/plugins/user.py
index
b3ae7646fdcfa1dce10d90063dae2a24c091e8ee..62ec529062c7ac39661df2a8c3d2277711268b11
100644
--- a/ipaserver/plugins/user.py
+++ b/ipaserver/plugins/user.py
@@ -517,7 +517,8 @@ class user_add(baseuser_add):
entry_attrs['gidnumber'] = group_attrs['gidnumber']
if 'userpassword' not in entry_attrs and options.get('random'):
-entry_attrs['userpassword'] =
ipa_generate_password(baseuser_pwdchars)
+entry_attrs['userpassword'] = ipa_generate_password(
+baseuser_pwdchars, pwd_len=12)
# save the password so it can be displayed in post_callback
setattr(context, 'randompassword', entry_attrs['userpassword'])
--
2.5.5
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 0559] Increase default length of auto-generated passwords
https://fedorahosted.org/freeipa/ticket/6116
Patch attached
From ca5305e032137b7c9197d0c1050191079a72124e Mon Sep 17 00:00:00 2001
From: Martin Basti
Date: Fri, 22 Jul 2016 16:41:29 +0200
Subject: [PATCH] Increase default length of auto generated passwords
Installer/IPA generates passwords for warious purpose:
* KRA
* kerberos master key
* NSSDB password
* temporary passwords during installation
Length of passwords should be increased to 22, ~128bits of entropy, to
be safe nowadays.
https://fedorahosted.org/freeipa/ticket/6116
---
ipapython/ipautil.py | 2 +-
ipaserver/plugins/baseuser.py | 3 ++-
ipaserver/plugins/host.py | 3 ++-
ipaserver/plugins/stageuser.py | 3 ++-
ipaserver/plugins/user.py | 3 ++-
5 files changed, 9 insertions(+), 5 deletions(-)
diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index 9964fba4f694b57242b3bd3065a418917d977533..ca7e81d666cd6c345bdbbf4660c3451ac1f2c045 100644
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -57,7 +57,7 @@ from ipapython.dn import DN
SHARE_DIR = paths.USR_SHARE_IPA_DIR
PLUGINS_SHARE_DIR = paths.IPA_PLUGINS
-GEN_PWD_LEN = 12
+GEN_PWD_LEN = 22
# Having this in krb_utils would cause circular import
KRB5_KDC_UNREACH = 2529639068 # Cannot contact any KDC for requested realm
diff --git a/ipaserver/plugins/baseuser.py b/ipaserver/plugins/baseuser.py
index e4288a5a131157815ffb2452692a7edb342f6ac3..5e0752c8d3d246fa7c283f05b82ef01de2e5bf34 100644
--- a/ipaserver/plugins/baseuser.py
+++ b/ipaserver/plugins/baseuser.py
@@ -552,7 +552,8 @@ class baseuser_mod(LDAPUpdate):
def check_userpassword(self, entry_attrs, **options):
if 'userpassword' not in entry_attrs and options.get('random'):
-entry_attrs['userpassword'] = ipa_generate_password(baseuser_pwdchars)
+entry_attrs['userpassword'] = ipa_generate_password(
+baseuser_pwdchars, pwd_len=12)
# save the password so it can be displayed in post_callback
setattr(context, 'randompassword', entry_attrs['userpassword'])
diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py
index 413dcf15e0423170d8334902b9dcf8fb5aa14de6..1cefb6224e1a6dad0080369edee35c4524e5bd39 100644
--- a/ipaserver/plugins/host.py
+++ b/ipaserver/plugins/host.py
@@ -683,7 +683,8 @@ class host_add(LDAPCreate):
if 'krbprincipal' in entry_attrs['objectclass']:
entry_attrs['objectclass'].remove('krbprincipal')
if options.get('random'):
-entry_attrs['userpassword'] = ipa_generate_password(characters=host_pwd_chars)
+entry_attrs['userpassword'] = ipa_generate_password(
+characters=host_pwd_chars, pwd_len=12)
# save the password so it can be displayed in post_callback
setattr(context, 'randompassword', entry_attrs['userpassword'])
certs = options.get('usercertificate', [])
diff --git a/ipaserver/plugins/stageuser.py b/ipaserver/plugins/stageuser.py
index 3b9388f6020b9a6c40caedd36f3640a05a13da65..6df189c3913171b4990ce115b296b19c7447592d 100644
--- a/ipaserver/plugins/stageuser.py
+++ b/ipaserver/plugins/stageuser.py
@@ -339,7 +339,8 @@ class stageuser_add(baseuser_add):
# If requested, generate a userpassword
if 'userpassword' not in entry_attrs and options.get('random'):
-entry_attrs['userpassword'] = ipa_generate_password(baseuser_pwdchars)
+entry_attrs['userpassword'] = ipa_generate_password(
+baseuser_pwdchars, pwd_len=12)
# save the password so it can be displayed in post_callback
setattr(context, 'randompassword', entry_attrs['userpassword'])
diff --git a/ipaserver/plugins/user.py b/ipaserver/plugins/user.py
index b3ae7646fdcfa1dce10d90063dae2a24c091e8ee..62ec529062c7ac39661df2a8c3d2277711268b11 100644
--- a/ipaserver/plugins/user.py
+++ b/ipaserver/plugins/user.py
@@ -517,7 +517,8 @@ class user_add(baseuser_add):
entry_attrs['gidnumber'] = group_attrs['gidnumber']
if 'userpassword' not in entry_attrs and options.get('random'):
-entry_attrs['userpassword'] = ipa_generate_password(baseuser_pwdchars)
+entry_attrs['userpassword'] = ipa_generate_password(
+baseuser_pwdchars, pwd_len=12)
# save the password so it can be displayed in post_callback
setattr(context, 'randompassword', entry_attrs['userpassword'])
--
2.5.5
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
