Re: [Freeipa-users] passwords
On 05/23/2015 10:21 PM, Janelle wrote: I have a question regarding passwords. It seems IPA does a very nice job of generating random passwords. Thanks! Is there a way to use that feature without actually setting it on a user? Something akin to pwgen? Thank you ~Janelle There is no explicit script to do , there was no demand or value so far. You would need to call for that functionality yourself in a python script. This works for me with FreeIPA 4.1 for example: # python -c from ipalib import api; api.bootstrap(); api.finalize(); from ipalib.plugins.user import user_pwdchars; from ipapython.ipautil import ipa_generate_password; print ipa_generate_password(user_pwdchars) dIbhUAM3puoA If you have a vision/idea why/how/when FreeIPA could be used as a Password generated, please feel free to file RFE (and send patches :-) Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] passwords
I have a question regarding passwords. It seems IPA does a very nice job of generating random passwords. Is there a way to use that feature without actually setting it on a user? Something akin to pwgen? Thank you ~Janelle -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] passwords expiration against IPA v.3.0.0-37 using ldap not kerberos
On Fri, Jul 18, 2014 at 11:22:05AM -0400, Lance Reed wrote: I am having a problem with sssd (1.9.2) and passwords expiration against IPA v.3.0.0-37. I have setup sssd to use IPA with LDAP not Kerberos since this is in EC2 and I don’t want to deal with assigning tickets to each ephemeral host. So far things are working great, with the one exception that due to IPA using “krbPasswordExpiration” instead of “shadowExpire” breaks the usage of expired passwords. I tried setting “ldap_pwd_policy = mit_kerberos”, which does allow expired passwords to be recognized, but then breaks the users ability to change passwords. I suspect it causes sssd to use al Kerberos code paths, which won’t work in this case. e.g added [domain/LDAP] trying to see if will work. id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_schema = IPA #ldap_pwd_policy = mit_kerberos ldap_account_expire_policy = mit_kerberos If anyone has any ideas on this I would appreciate and feedback. Thanks in advance. fyi, this question was asked on sssd-users, too and the discussion is ongoing on that list: https://lists.fedorahosted.org/pipermail/sssd-users/2014-July/001957.html -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project