Re: [Freeipa-users] Password Expiration Grace Limit
latetotheparty There seems to be nothing in the documentation about a user being able to initiate a password change dialogue after their password has expired https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Using_SSH_for_Password_Authentication.html /latetotheparty Tim Hildred, RHCE Content Author II - Engineering Content Services, Red Hat, Inc. Brisbane, Australia Email: thild...@redhat.com Internal: 8588287 Mobile: +61 4 666 25242 IRC: thildred ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Password Expiration Grace Limit
On 09/14/2012 02:33 PM, Ott, Dennis wrote: There seems to be nothing in the documentation about a user being able to initiate a password change dialogue after their password has expired, yet it seems that one is able to do just that. There is a value in the ldap store, passwordGraceLimit, which is initialized to zero. I have modified that value but it seems to have no effect. I would like to limit this ability to just a few days, or alternatively, completely lock out the account once the password has expired. Does anyone have any insight as to how to do this? If not, is it planned for a future release? I suppose I could look at a script running daily that would lock the account if the user's password has expired in the last X hours, but I was hoping for something builtin. Any help is appreciated. AFAIR this is the first request of this kind. We allow to change the password even after expiration. The main reason is that newly created accounts need to change passwords so they are marked as immediately expired. But it might take some time for user to actually log into the system for the first time this is why we never thought about the use case described. So I suspect we do not have any grace period enforced. It might be a bug. Simo, what do you think ? Dennis ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Password Expiration Grace Limit
Ott, Dennis wrote: There seems to be nothing in the documentation about a user being able to initiate a password change dialogue after their password has expired, yet it seems that one is able to do just that. There is a value in the ldap store, passwordGraceLimit, which is initialized to zero. I have modified that value but it seems to have no effect. This value is not used by IPA. I don't believe we have the ability to do this right now. As you suggest, some automation may be required to find expired passwords and lock them out. I would like to limit this ability to just a few days, or alternatively, completely lock out the account once the password has expired. This would be difficult because administratively-reset accounts have their passwords expired to force users to set a new one (so that only the end-user knows their password). This would effectively lock everyone out. Does anyone have any insight as to how to do this? If not, is it planned for a future release? No plans for this AFAIK. Feel free to file an enhancement request ticket on our Trac site, https://fedorahosted.org/freeipa/ I suppose I could look at a script running daily that would lock the account if the user’s password has expired in the last X hours, but I was hoping for something builtin. regards rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Password Expiration Grace Limit
On Fri, 2012-09-14 at 14:50 -0400, Dmitri Pal wrote: On 09/14/2012 02:33 PM, Ott, Dennis wrote: There seems to be nothing in the documentation about a user being able to initiate a password change dialogue after their password has expired, yet it seems that one is able to do just that. There is a value in the ldap store, passwordGraceLimit, which is initialized to zero. I have modified that value but it seems to have no effect. I would like to limit this ability to just a few days, or alternatively, completely lock out the account once the password has expired. Does anyone have any insight as to how to do this? If not, is it planned for a future release? I suppose I could look at a script running daily that would lock the account if the user’s password has expired in the last X hours, but I was hoping for something builtin. Any help is appreciated. AFAIR this is the first request of this kind. We allow to change the password even after expiration. The main reason is that newly created accounts need to change passwords so they are marked as immediately expired. But it might take some time for user to actually log into the system for the first time this is why we never thought about the use case described. So I suspect we do not have any grace period enforced. It might be a bug. Simo, what do you think ? Sounds like material for a Feature Request. I think setting a grace period is a good idea, and have the nice side effect of automatically locking new accounts if the user never use them. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Password Expiration Grace Limit
On 09/14/2012 02:52 PM, Rob Crittenden wrote: Ott, Dennis wrote: There seems to be nothing in the documentation about a user being able to initiate a password change dialogue after their password has expired, yet it seems that one is able to do just that. There is a value in the ldap store, passwordGraceLimit, which is initialized to zero. I have modified that value but it seems to have no effect. This value is not used by IPA. I don't believe we have the ability to do this right now. As you suggest, some automation may be required to find expired passwords and lock them out. I would like to limit this ability to just a few days, or alternatively, completely lock out the account once the password has expired. This would be difficult because administratively-reset accounts have their passwords expired to force users to set a new one (so that only the end-user knows their password). This would effectively lock everyone out. Does anyone have any insight as to how to do this? If not, is it planned for a future release? No plans for this AFAIK. Feel free to file an enhancement request ticket on our Trac site, https://fedorahosted.org/freeipa/ I suppose I could look at a script running daily that would lock the account if the user’s password has expired in the last X hours, but I was hoping for something builtin. This is related https://fedorahosted.org/freeipa/ticket/1539 regards rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users