Re: [Freeipa-users] Unexpiring user passwords
On Sunday, May 01, 2016 12:31:14 Rob Crittenden wrote: > > Is there a way around this? Is there a password synchronization protocol > > that can be used to link up systems that need to have common logins? > > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Windows_Integration_Guide/index.html#password-sync Rob - Thank you! For some reason, I had seen that page, and scanned through it, but missed that part. Very grateful! j -- Joshua J. Kugler - Fairbanks, Alaska Azariah Enterprises - Programming and Website Design jos...@azariah.com - Jabber: pedah...@gmail.com PGP Key: http://pgp.mit.edu/ ID 0x73B13B6A -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Unexpiring user passwords
On Sun, May 1, 2016 at 4:53 AM, Joshua J. Kugler wrote: > We have a situation where the passwords in FreeIPA need to be synchronized > with another system in the company (a database of users, which is the > authoritative source for users and passwords). But, from what I read, the > documentation is telling me we can't do that, because if we followed this > work > flow: > > 1. Users goes to "master DB" and changes their password > 2. master DB runs a script which sets password on FreeIPA system > 3. User's login is now broken because the password is expired. > leaving the design/philosophy aside, you could modify your users' krbpasswordexpiration ldap attribute in your script that changes the freeipa password from your master DB password source. It's quite simple using your ldap tools of choice. -- Groeten, natxo -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Unexpiring user passwords
Joshua J. Kugler wrote: I have read this page http://www.freeipa.org/page/New_Passwords_Expired Aside from the fact that the decision should have been left to the company and their policies, and violates the tenant that software should have sane defaults while leaving flexibility to the user, I'm wondering if you can help me. We have a situation where the passwords in FreeIPA need to be synchronized with another system in the company (a database of users, which is the authoritative source for users and passwords). But, from what I read, the documentation is telling me we can't do that, because if we followed this work flow: 1. Users goes to "master DB" and changes their password 2. master DB runs a script which sets password on FreeIPA system 3. User's login is now broken because the password is expired. It is really unfortunate that this design decision was made, because 1. It prevents FreeIPA from being integrated with existing systems (telling people, effectively, you have to use FreeIPA for EVERYTHING or you can't use us at all) 2. It doesn't really improve security as claimed, because if the user's new password is intercepted, the interceptor can use that password to login and change the expired password, still giving access. Is there a way around this? Is there a password synchronization protocol that can be used to link up systems that need to have common logins? https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Windows_Integration_Guide/index.html#password-sync rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
