Re: [Freeipa-users] passwords

2015-05-25 Thread Martin Kosek
On 05/23/2015 10:21 PM, Janelle wrote:
 I have a question regarding passwords.
 
 It seems IPA does a very nice job of generating random passwords.

Thanks!

 Is there a
 way to use that feature without actually setting it on a user?  Something akin
 to pwgen?
 
 Thank you
 ~Janelle
 

There is no explicit script to do , there was no demand or value so far. You
would need to call for that functionality yourself in a python script. This
works for me with FreeIPA 4.1 for example:

# python -c from ipalib import api; api.bootstrap(); api.finalize(); from
ipalib.plugins.user import user_pwdchars; from ipapython.ipautil import
ipa_generate_password; print ipa_generate_password(user_pwdchars)
dIbhUAM3puoA

If you have a vision/idea why/how/when FreeIPA could be used as a Password
generated, please feel free to file RFE (and send patches :-)

Martin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] passwords expiration against IPA v.3.0.0-37 using ldap not kerberos

2014-07-21 Thread Jakub Hrozek
On Fri, Jul 18, 2014 at 11:22:05AM -0400, Lance Reed wrote:
 I am having a problem with sssd (1.9.2) and passwords expiration
 against IPA v.3.0.0-37.
 
 I have setup sssd to use IPA with LDAP not Kerberos since this is in
 EC2 and I don’t want to deal with assigning tickets to each ephemeral
 host.  So far things are working great, with the one exception that
 due to IPA using “krbPasswordExpiration” instead of “shadowExpire”
 breaks the usage of expired passwords.  I tried setting
 “ldap_pwd_policy = mit_kerberos”, which does allow expired passwords
 to be recognized, but then breaks the users ability to change
 passwords.  I suspect it causes sssd to use al Kerberos code paths,
 which won’t work in this case.
 
 
 e.g added [domain/LDAP] trying to see if will work.
 
 id_provider = ldap
 auth_provider = ldap
 chpass_provider = ldap
 ldap_schema = IPA
 
 #ldap_pwd_policy = mit_kerberos
 ldap_account_expire_policy = mit_kerberos
 
 If anyone has any ideas on this I would appreciate and feedback.
 Thanks in advance.

fyi, this question was asked on sssd-users, too and the discussion is
ongoing on that list:
https://lists.fedorahosted.org/pipermail/sssd-users/2014-July/001957.html

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project