Re: [Freeipa-users] Password expiration dates are different when being resetted by the (primary) admin and a different admin
Great! Btw +1 for running on IPA 3.3.3, it has much more to offer than RHEL/CentOS 6.x one. Martin On 09/03/2014 06:08 PM, Zip Ly wrote: @Martin Ah that explains everything. We were using centos 6.5 + ipa 3.0.0 Now with a new test setup centos 7 + ipa 3.3.3, it works just as we wanted. Thank all for the help! On Tue, Sep 2, 2014 at 5:19 PM, Martin Kosek mko...@redhat.com wrote: On 09/02/2014 10:42 AM, Zip Ly wrote: @Martin The second admin is my service account. I use this account to communicate with our webapplication (it uses keytab and post/curl json to ipa). I can add users without a problem. But when it comes to changing password, the password is expired immediately. I have only one password policy and that's the 'global_policy'. The --maxlife you mentioned only affect this policy. If I use this service account to change the user password, the policy is ignored just as stated in the ipa wiki. Even if I set the --maxlife to 200, if the password is being resetted by this first admin, then the expire date is set to 90 days or expired immediately by the second admin/service account. That's why I want to know how to change this 90 days and also apply it for the service account. What version of FreeIPA do you use? Maybe you are hitting https://fedorahosted.org/freeipa/ticket/3968 that we fixed in FreeIPA 3.3.3. Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Password expiration dates are different when being resetted by the (primary) admin and a different admin
@Martin Ah that explains everything. We were using centos 6.5 + ipa 3.0.0 Now with a new test setup centos 7 + ipa 3.3.3, it works just as we wanted. Thank all for the help! On Tue, Sep 2, 2014 at 5:19 PM, Martin Kosek mko...@redhat.com wrote: On 09/02/2014 10:42 AM, Zip Ly wrote: @Martin The second admin is my service account. I use this account to communicate with our webapplication (it uses keytab and post/curl json to ipa). I can add users without a problem. But when it comes to changing password, the password is expired immediately. I have only one password policy and that's the 'global_policy'. The --maxlife you mentioned only affect this policy. If I use this service account to change the user password, the policy is ignored just as stated in the ipa wiki. Even if I set the --maxlife to 200, if the password is being resetted by this first admin, then the expire date is set to 90 days or expired immediately by the second admin/service account. That's why I want to know how to change this 90 days and also apply it for the service account. What version of FreeIPA do you use? Maybe you are hitting https://fedorahosted.org/freeipa/ticket/3968 that we fixed in FreeIPA 3.3.3. Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Password expiration dates are different when being resetted by the (primary) admin and a different admin
@Martin The second admin is my service account. I use this account to communicate with our webapplication (it uses keytab and post/curl json to ipa). I can add users without a problem. But when it comes to changing password, the password is expired immediately. I have only one password policy and that's the 'global_policy'. The --maxlife you mentioned only affect this policy. If I use this service account to change the user password, the policy is ignored just as stated in the ipa wiki. Even if I set the --maxlife to 200, if the password is being resetted by this first admin, then the expire date is set to 90 days or expired immediately by the second admin/service account. That's why I want to know how to change this 90 days and also apply it for the service account. On Mon, Sep 1, 2014 at 1:06 PM, Martin Kosek mko...@redhat.com wrote: On 08/29/2014 10:21 AM, Zip Ly wrote: @Martin 1) Yes, I did executed 8.5.3 from the wiki. Is this is reason for the systems behaviour? Yes. if so why doesnt't it applies for both admins? Because only a DN of the first admin was added. It applies only to objects bound with this DN then. And it doesn't explain the 90 days, because it is not set in the tutorial. 90 days is the password policy defined password maximum life. You can check with ipa pwpolicy-show [group]. This value is not defined in cn=ipa_pwd_extop,cn=plugins,cn=config, thus not present in the docs. Unless some params are left out of the wiki for some reason. I'm using windows LDAP admin tool to browse the LDAP tree, but couln't find this param/value so I wasn't sure if the new setting is being used. I did get a confirmation while executing the change. To set the the max password life, use ipa pwpolicy-mod --maxlife $LIFE command (or Web UI). @Dimitri 1) Yes, there are no problems with changing your own password. There is only something strange with the expiration lifetime when you are changing other users (admin or non-admin) password. The expiration lifetime of a password reset should be equal to BOTH admins like expired immediately, 90 days or the value that is set in the password policy. I prefer the value in a password policy, because this way I have it more under control. @Martin @Will 1b) Ok, I'm afraid you may say that. Most free clients like gmail, hotmail, ebay, paypal doesn't require a password reset from time to time (yes they may have set a very high value). So I was wondering why it isn't possible. I know it's bad for security, but still. I think the solution is to: 1) Change the password policy to a very high value (even in years), as Will suggested in this thread. 2) Use service accounts (service-add) with keytabs for services which do not need to change their passwords, given they authenticate with keytab which does not suffer from password complexity issues. 3) Contribute to FreeIPA and make --maxlife 0 or similar mean unlimited validity (https://fedorahosted.org/freeipa/ticket/2795) :-) On Thu, Aug 28, 2014 at 6:18 PM, Dmitri Pal d...@redhat.com wrote: On 08/28/2014 04:18 PM, Zip Ly wrote: Hi, I'm trying to change a user password without reset. If I use the (primary) admin to change the password then it doesn't need a password reset, because the expire lifetime is 90 days. But if I create a second admin, then every password change made by the second admin needs a password reset, because the password is expired immediately. 1a) Does anyone knows how I can change the policy/privilege of the second admin so every password change doesn't require a reset? 1b) and is it possible to set a different expire lifetime like zero for unlimited lifetime? You are probably changing password for the admin himself. Isn't there a different flow when admin changes his own password? It's almost the same bugreport as https://fedorahosted.org/freeipa/ticket/2795 but the difference is there should be 2 policies: one for changing your own password and another for resetting other users password. 2) Are there more differences in policies between the first (primary) admin and the second admin you just created? Kind regards, Zip -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Password expiration dates are different when being resetted by the (primary) admin and a different admin
On 09/02/2014 10:42 AM, Zip Ly wrote: @Martin The second admin is my service account. I use this account to communicate with our webapplication (it uses keytab and post/curl json to ipa). I can add users without a problem. But when it comes to changing password, the password is expired immediately. I have only one password policy and that's the 'global_policy'. The --maxlife you mentioned only affect this policy. If I use this service account to change the user password, the policy is ignored just as stated in the ipa wiki. Even if I set the --maxlife to 200, if the password is being resetted by this first admin, then the expire date is set to 90 days or expired immediately by the second admin/service account. That's why I want to know how to change this 90 days and also apply it for the service account. What version of FreeIPA do you use? Maybe you are hitting https://fedorahosted.org/freeipa/ticket/3968 that we fixed in FreeIPA 3.3.3. Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Password expiration dates are different when being resetted by the (primary) admin and a different admin
On 08/29/2014 10:21 AM, Zip Ly wrote: @Martin 1) Yes, I did executed 8.5.3 from the wiki. Is this is reason for the systems behaviour? Yes. if so why doesnt't it applies for both admins? Because only a DN of the first admin was added. It applies only to objects bound with this DN then. And it doesn't explain the 90 days, because it is not set in the tutorial. 90 days is the password policy defined password maximum life. You can check with ipa pwpolicy-show [group]. This value is not defined in cn=ipa_pwd_extop,cn=plugins,cn=config, thus not present in the docs. Unless some params are left out of the wiki for some reason. I'm using windows LDAP admin tool to browse the LDAP tree, but couln't find this param/value so I wasn't sure if the new setting is being used. I did get a confirmation while executing the change. To set the the max password life, use ipa pwpolicy-mod --maxlife $LIFE command (or Web UI). @Dimitri 1) Yes, there are no problems with changing your own password. There is only something strange with the expiration lifetime when you are changing other users (admin or non-admin) password. The expiration lifetime of a password reset should be equal to BOTH admins like expired immediately, 90 days or the value that is set in the password policy. I prefer the value in a password policy, because this way I have it more under control. @Martin @Will 1b) Ok, I'm afraid you may say that. Most free clients like gmail, hotmail, ebay, paypal doesn't require a password reset from time to time (yes they may have set a very high value). So I was wondering why it isn't possible. I know it's bad for security, but still. I think the solution is to: 1) Change the password policy to a very high value (even in years), as Will suggested in this thread. 2) Use service accounts (service-add) with keytabs for services which do not need to change their passwords, given they authenticate with keytab which does not suffer from password complexity issues. 3) Contribute to FreeIPA and make --maxlife 0 or similar mean unlimited validity (https://fedorahosted.org/freeipa/ticket/2795) :-) On Thu, Aug 28, 2014 at 6:18 PM, Dmitri Pal d...@redhat.com wrote: On 08/28/2014 04:18 PM, Zip Ly wrote: Hi, I'm trying to change a user password without reset. If I use the (primary) admin to change the password then it doesn't need a password reset, because the expire lifetime is 90 days. But if I create a second admin, then every password change made by the second admin needs a password reset, because the password is expired immediately. 1a) Does anyone knows how I can change the policy/privilege of the second admin so every password change doesn't require a reset? 1b) and is it possible to set a different expire lifetime like zero for unlimited lifetime? You are probably changing password for the admin himself. Isn't there a different flow when admin changes his own password? It's almost the same bugreport as https://fedorahosted.org/freeipa/ticket/2795 but the difference is there should be 2 policies: one for changing your own password and another for resetting other users password. 2) Are there more differences in policies between the first (primary) admin and the second admin you just created? Kind regards, Zip -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Password expiration dates are different when being resetted by the (primary) admin and a different admin
@Martin 1) Yes, I did executed 8.5.3 from the wiki. Is this is reason for the systems behaviour? if so why doesnt't it applies for both admins? And it doesn't explain the 90 days, because it is not set in the tutorial. Unless some params are left out of the wiki for some reason. I'm using windows LDAP admin tool to browse the LDAP tree, but couln't find this param/value so I wasn't sure if the new setting is being used. I did get a confirmation while executing the change. @Dimitri 1) Yes, there are no problems with changing your own password. There is only something strange with the expiration lifetime when you are changing other users (admin or non-admin) password. The expiration lifetime of a password reset should be equal to BOTH admins like expired immediately, 90 days or the value that is set in the password policy. I prefer the value in a password policy, because this way I have it more under control. @Martin @Will 1b) Ok, I'm afraid you may say that. Most free clients like gmail, hotmail, ebay, paypal doesn't require a password reset from time to time (yes they may have set a very high value). So I was wondering why it isn't possible. I know it's bad for security, but still. On Thu, Aug 28, 2014 at 6:18 PM, Dmitri Pal d...@redhat.com wrote: On 08/28/2014 04:18 PM, Zip Ly wrote: Hi, I'm trying to change a user password without reset. If I use the (primary) admin to change the password then it doesn't need a password reset, because the expire lifetime is 90 days. But if I create a second admin, then every password change made by the second admin needs a password reset, because the password is expired immediately. 1a) Does anyone knows how I can change the policy/privilege of the second admin so every password change doesn't require a reset? 1b) and is it possible to set a different expire lifetime like zero for unlimited lifetime? You are probably changing password for the admin himself. Isn't there a different flow when admin changes his own password? It's almost the same bugreport as https://fedorahosted.org/freeipa/ticket/2795 but the difference is there should be 2 policies: one for changing your own password and another for resetting other users password. 2) Are there more differences in policies between the first (primary) admin and the second admin you just created? Kind regards, Zip -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Password expiration dates are different when being resetted by the (primary) admin and a different admin
On 08/28/2014 04:18 PM, Zip Ly wrote: Hi, I'm trying to change a user password without reset. If I use the (primary) admin to change the password then it doesn't need a password reset, because the expire lifetime is 90 days. This is strange. Did you by any chance added this admin's account DN to passSyncManagersDNs setting in ipa_pwd_extop plugin? http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/pass-sync.html#password-sync But if I create a second admin, then every password change made by the second admin needs a password reset, because the password is expired immediately. Right, this is done on purpose: http://www.freeipa.org/page/New_Passwords_Expired 1a) Does anyone knows how I can change the policy/privilege of the second admin so every password change doesn't require a reset? See docs link above. But note it is a hack and we discourage it for reasons written in the wiki link above. 1b) and is it possible to set a different expire lifetime like zero for unlimited lifetime? No (for security reasons). It's almost the same bugreport as https://fedorahosted.org/freeipa/ticket/2795 but the difference is there should be 2 policies: one for changing your own password and another for resetting other users password. Administrative password change is only subject to max password life time part of the password policy AFAIR. Thus it already uses 2 different standards for these password changes (e.g. password length is not enforced for administrative password change). 2) Are there more differences in policies between the first (primary) admin and the second admin you just created? There should not be. All members of admins groups should be equal in rights. Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Password expiration dates are different when being resetted by the (primary) admin and a different admin
1a) has come up before: https://www.redhat.com/archives/freeipa-users/2014-February/msg00313.html 1b) We handled this by setting the expire lifetime to a very large value (20 years) for members of a certain group. 2) I’m not sure. Kind regards, Will Sheldon +1.778-689-1244 On August 28, 2014 at 7:26:03 AM, Zip Ly (zip...@gmail.com) wrote: Hi, I'm trying to change a user password without reset. If I use the (primary) admin to change the password then it doesn't need a password reset, because the expire lifetime is 90 days. But if I create a second admin, then every password change made by the second admin needs a password reset, because the password is expired immediately. 1a) Does anyone knows how I can change the policy/privilege of the second admin so every password change doesn't require a reset? 1b) and is it possible to set a different expire lifetime like zero for unlimited lifetime? It's almost the same bugreport as https://fedorahosted.org/freeipa/ticket/2795 but the difference is there should be 2 policies: one for changing your own password and another for resetting other users password. 2) Are there more differences in policies between the first (primary) admin and the second admin you just created? Kind regards, Zip -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Password expiration dates are different when being resetted by the (primary) admin and a different admin
On 08/28/2014 04:18 PM, Zip Ly wrote: Hi, I'm trying to change a user password without reset. If I use the (primary) admin to change the password then it doesn't need a password reset, because the expire lifetime is 90 days. But if I create a second admin, then every password change made by the second admin needs a password reset, because the password is expired immediately. 1a) Does anyone knows how I can change the policy/privilege of the second admin so every password change doesn't require a reset? 1b) and is it possible to set a different expire lifetime like zero for unlimited lifetime? You are probably changing password for the admin himself. Isn't there a different flow when admin changes his own password? It's almost the same bugreport as https://fedorahosted.org/freeipa/ticket/2795 but the difference is there should be 2 policies: one for changing your own password and another for resetting other users password. 2) Are there more differences in policies between the first (primary) admin and the second admin you just created? Kind regards, Zip -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
