Re: [Freeipa-users] Unexpired pw?

2015-03-27 Thread Martin Kosek
On 03/27/2015 01:52 PM, Janelle wrote:
> 
> Hi all,
> 
> Found an odd issue and a question.  If you change user pw with "ipa user-mod 
> -password" and the client is configured for LDAP, then the user is not forced 
> to change the pw on initial login.

This is something we would like to fix eventually, it is tracked in
https://fedorahosted.org/freeipa/ticket/1539

It was not done yet as just forcing the password expiration on LDAP BIND tends
to break stuff.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] Unexpired pw?

2015-03-27 Thread Alexander Bokovoy

On Fri, 27 Mar 2015, Janelle wrote:


Hi all,

Found an odd issue and a question.  If you change user pw with "ipa
user-mod -password" and the client is configured for LDAP, then the
user is not forced to change the pw on initial login.

We have three different cases depending on who changes userPassword
attribute in LDAP:

1. cn=Directory Manager can change anything and it doesn't taint the
userPassword.

2. A user can change own password and it doesn't taint the userPassword
attribute.

3. Any other identity that can change a password will taint userPassword
attribute.

If you change user password with "ipa user-mod --password" the question
should be "who are you?" and the answer to that question drives the
tainting logic described above.


However, my other question is, can you set a user pw WITHOUT
pre-expiring?!

cn=Directory manager is the one who can but directly in LDAP as you
cannot authenticate as 'cn=Directory manager' using IPA tools.

If you are insisting on lowering security of your passwords, nothing
prevents you from changing user password to some value as admin user
first and then setting it as that user to a correct value. We don't
recommend to do so but you have means already to ignore our
recommendations.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


[Freeipa-users] Unexpired pw?

2015-03-27 Thread Janelle

Hi all,

Found an odd issue and a question.  If you change user pw with "ipa user-mod 
-password" and the client is configured for LDAP, then the user is not forced 
to change the pw on initial login.

However, my other question is, can you set a user pw WITHOUT pre-expiring?!

~J

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project