Re: [Freeipa-users] freeipa password policy ( hsitory ) getting reset with password reset
On Wed, May 04, 2016 at 04:16:38PM +0200, Martin Kosek wrote: > On 05/03/2016 08:20 AM, Rakesh Rajasekharan wrote: > > Hi, > > > > I am running a freeipa server 4.2.x. > > > > I have the following password global password policy set to force a history > > of 3 > > > > ipa pwpolicy-mod global_policy --history=3 --maxlife=90 --minlength=8 > > --maxfail=3 --failinterval=300 > > > > > > This works good when the user himself changes the password.. and IPA does > > not > > allow reusing older password. > > > > However, if the admin resets it "ipa user-mod testuser --random" then it > > seems > > to reset the password history as well and the user can now re-use his older > > password > > > > Is this expected or is there something I can do about it. > > Good question, CCing Simo on this one. > > > Also, is there a way to get the password expiry warning at the terminal > > when a > > user logs in , something similar to the "pwdExpireWarning" in ldap. > > > > I searched a bit and could only find setting up email alerts . Some more warnings are displayed when you bump the pam_verbosity option, see man sssd.conf. I'm not sure if the expiry warning is one of them. If not, feel free to file a bug. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa password policy ( hsitory ) getting reset with password reset
On Wed, 2016-05-04 at 16:16 +0200, Martin Kosek wrote: > On 05/03/2016 08:20 AM, Rakesh Rajasekharan wrote: > > Hi, > > > > I am running a freeipa server 4.2.x. > > > > I have the following password global password policy set to force a history > > of 3 > > > > ipa pwpolicy-mod global_policy --history=3 --maxlife=90 --minlength=8 > > --maxfail=3 --failinterval=300 > > > > > > This works good when the user himself changes the password.. and IPA does > > not > > allow reusing older password. > > > > However, if the admin resets it "ipa user-mod testuser --random" then it > > seems > > to reset the password history as well and the user can now re-use his older > > password > > > > Is this expected or is there something I can do about it. > > Good question, CCing Simo on this one. It is arguably a bug, history shouldn't be lost IMHO. Simo. > > Also, is there a way to get the password expiry warning at the terminal > > when a > > user logs in , something similar to the "pwdExpireWarning" in ldap. > > > > I searched a bit and could only find setting up email alerts . > > CCing Jakub from SSSD team. > > Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa password policy ( hsitory ) getting reset with password reset
On 05/03/2016 08:20 AM, Rakesh Rajasekharan wrote: > Hi, > > I am running a freeipa server 4.2.x. > > I have the following password global password policy set to force a history > of 3 > > ipa pwpolicy-mod global_policy --history=3 --maxlife=90 --minlength=8 > --maxfail=3 --failinterval=300 > > > This works good when the user himself changes the password.. and IPA does not > allow reusing older password. > > However, if the admin resets it "ipa user-mod testuser --random" then it > seems > to reset the password history as well and the user can now re-use his older > password > > Is this expected or is there something I can do about it. Good question, CCing Simo on this one. > Also, is there a way to get the password expiry warning at the terminal when > a > user logs in , something similar to the "pwdExpireWarning" in ldap. > > I searched a bit and could only find setting up email alerts . CCing Jakub from SSSD team. Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] freeipa password policy ( hsitory ) getting reset with password reset
Hi, I am running a freeipa server 4.2.x. I have the following password global password policy set to force a history of 3 ipa pwpolicy-mod global_policy --history=3 --maxlife=90 --minlength=8 --maxfail=3 --failinterval=300 This works good when the user himself changes the password.. and IPA does not allow reusing older password. However, if the admin resets it "ipa user-mod testuser --random" then it seems to reset the password history as well and the user can now re-use his older password Is this expected or is there something I can do about it. Also, is there a way to get the password expiry warning at the terminal when a user logs in , something similar to the "pwdExpireWarning" in ldap. I searched a bit and could only find setting up email alerts . Thanks, Rakesh -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project