Re: [Freeipa-users] Allow freeipa send password to user
On Thu, 2014-02-20 at 11:29 +0100, Jan Pazdziora wrote: > On Tue, Feb 18, 2014 at 04:44:30PM -0500, Dmitri Pal wrote: > > On 02/17/2014 10:51 PM, barry...@gmail.com wrote: > > >Is it possible to set allow password to send to user after user request. > > > > > >I used one of the self password service pwm but it seem it is not > > >compatible to retriveal of password > > >using cert request / Answer and questions retrieval > > > > Passwords can't be sent to the user. You can using administrative > > account set a new password (i.e. do an admin reset) and send it to > > the user but then user will be asked to change it on the first > > authentication. > > Since I've heard the requirement for no password change forced on user > upon their first login from multiple sides, I wonder if the current > behaviour stems from some technical reason or if it's just a security > approach which the FreeIPA admins should be able to override. It is a security measure, and also quite easy to work around. Working it around is left as an exercise to the reader. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Allow freeipa send password to user
On Thu, 20 Feb 2014, Jan Pazdziora wrote: On Tue, Feb 18, 2014 at 04:44:30PM -0500, Dmitri Pal wrote: On 02/17/2014 10:51 PM, barry...@gmail.com wrote: >Is it possible to set allow password to send to user after user request. > >I used one of the self password service pwm but it seem it is not >compatible to retriveal of password >using cert request / Answer and questions retrieval Passwords can't be sent to the user. You can using administrative account set a new password (i.e. do an admin reset) and send it to the user but then user will be asked to change it on the first authentication. Since I've heard the requirement for no password change forced on user upon their first login from multiple sides, I wonder if the current behaviour stems from some technical reason or if it's just a security approach which the FreeIPA admins should be able to override. There is no such thing as 'just' when taking security seriously, sorry. Any change of the password by someone other than the owner of it taints the password. Administrator setting the password taints it because what is known to more than one party cannot be considered secret anymore. If certain organization policy needs to override this, a sequence like $ kinit admin $ echo "nimda$NEWPASSWORD" | ipa passwd user $ echo -e "nimda$NEWPASSWORD\n$NEWPASSWORD\n$NEWPASSWORD" | kpasswd user would set $NEWPASSWORD for the user. You can certainly script it but I'd recommend think seriously how well this goes with data security regulations an organization could be subject to. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Allow freeipa send password to user
On Tue, Feb 18, 2014 at 04:44:30PM -0500, Dmitri Pal wrote: > On 02/17/2014 10:51 PM, barry...@gmail.com wrote: > >Is it possible to set allow password to send to user after user request. > > > >I used one of the self password service pwm but it seem it is not > >compatible to retriveal of password > >using cert request / Answer and questions retrieval > > Passwords can't be sent to the user. You can using administrative > account set a new password (i.e. do an admin reset) and send it to > the user but then user will be asked to change it on the first > authentication. Since I've heard the requirement for no password change forced on user upon their first login from multiple sides, I wonder if the current behaviour stems from some technical reason or if it's just a security approach which the FreeIPA admins should be able to override. -- Jan Pazdziora Principal Software Engineer, Identity Management Engineering, Red Hat ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Allow freeipa send password to user
On 02/17/2014 10:51 PM, barry...@gmail.com wrote: Is it possible to set allow password to send to user after user request. I used one of the self password service pwm but it seem it is not compatible to retriveal of password using cert request / Answer and questions retrieval thks barry ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Passwords can't be sent to the user. You can using administrative account set a new password (i.e. do an admin reset) and send it to the user but then user will be asked to change it on the first authentication. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Allow freeipa send password to user
Is it possible to set allow password to send to user after user request. I used one of the self password service pwm but it seem it is not compatible to retriveal of password using cert request / Answer and questions retrieval thks barry ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users