Bug 1317060
| Summary: | [RFE] Add option for new/reset passwords not to expire for IDM users | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Matt Smith <mjs> |
| Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> |
| Status: | CLOSED UPSTREAM | QA Contact: | Kaleem <ksiddiqu> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.2 | CC: | afarley, aheverle, greartes, pasik, pvoborni, rcritten |
| Target Milestone: | rc | Keywords: | FutureFeature |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-06-22 18:07:14 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Matt Smith
2016-03-11 20:29:36 UTC
Upstream ticket: https://fedorahosted.org/freeipa/ticket/5763 Possible solution is: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/pass-sync.html#password-sync I.e. add admin user to passSyncManagersDNs attr of cn=ipa_pwd_extop,cn=plugins,cn=config antry. But it has 2 drawbacks: - the configuration is local to single IPA master - needs to be done on all master which the admin user uses - cannot be configured in IPA UIs - LDAP mod is needed *** Bug 1396639 has been marked as a duplicate of this bug. *** Hi, What about adding a parameter to the REST API that permits being able to change the password without the password being expired? I am using IdM as external authentication with CloudForms and the user (which will never have direct access to IdM) will change its password via Dialog (using REST API). While i can change the password via REST API, it is EXPIRED, so one cannot login back to CloudForms after one changes the password via REST API. This is not optimal. Thanks in advance. (In reply to Reartes Guillermo from comment #6) In your case you are likely using a bind user to connect to IPA so you can use passSyncManagersDNs to avoid marking the passwords as reset as documented at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/identity_management_guide/pass-sync @Rob (and @Petr, whose earlier post I missed) I don't think passSyncManagersDNs will satisfy the initial request, if I understand the impact of passSyncManagersDNs correctly. Though it may satisfy comment #6. If I am an IPA admin, I need to do two things: - Occasionally reset a user's password -- a password change should be required on next login - Create service/application accounts for applications that need to bind to LDAP -- no password change should be forced It looks like if I add my account to the passSyncManagersDNs attribute, that I will no longer be forcing users to change their password on next login. To meet the need I originally posted, I believe we'd need some toggleable option (flag to the ipa command line and REST API, checkbox in the UI) available during password change operation that specifies "Require password change on next login". (In reply to Matt Smith from comment #8) Agreed, my proposal does not satisfy the initial request which is why I replied to the latest comment. passSyncManagersDNs is only applicable when using a single account to externally manage password entries. I am going to push this to the upstream bz Upstream ticket: https://fedorahosted.org/freeipa/ticket/5763 Currently, there is not a way in kerberos to handle this, when it moves to the 64 bit timestamp (will be required in 2027), it may be possible to do. Setting this to CLOSED UPSTREAM |