Bug 1317060 - [RFE] Add option for new/reset passwords not to expire for IDM users
[RFE] Add option for new/reset passwords not to expire for IDM users
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: IPA Maintainers
: FutureFeature
: 1396639 (view as bug list)
Depends On:
  Show dependency treegraph
Reported: 2016-03-11 15:29 EST by Matt Smith
Modified: 2017-10-11 21:44 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Matt Smith 2016-03-11 15:29:36 EST
Description of problem:
When an admin creates a new user in IPA, the password for that user is immediately expired.  Similarly, when an admin resets a user password, that password is immediately expired.  This forces the user to change their own password.  The rationale for this behavior is well documented at http://www.freeipa.org/page/New_Passwords_Expired.

However - an admin may also create a user representing an application or service, such that the password the admin sets is expected to work for the application.  Currently, the admin is required to change the password, as the user, after setting it initially.  This represents an unnecessary set of steps.

This request is to provide a mechanism for "ipa user-add", "ipa passwd", and the Web UI to allow a newly created user to be given a password that does not immediately expire, for use by applications.

Version-Release number of selected component (if applicable):

How reproducible:
Feature does not currently exist.

Steps to Reproduce:
1.  Create new user or change password of exisitng user as admin.
2.  Authentication as new user
3.  Note that user is forced to change password.

Actual results:
Admin has no option to avoid having to change password.

Expected results:
Admin should have an option to allow new users without forced password change.

Additional info:
Discussion on internal mailing lists 2015-03-10.
Comment 2 Petr Vobornik 2016-03-24 15:16:03 EDT
Upstream ticket:
Comment 3 Petr Vobornik 2016-11-22 02:55:17 EST
Possible solution is: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/pass-sync.html#password-sync 

I.e. add admin user to passSyncManagersDNs attr of cn=ipa_pwd_extop,cn=plugins,cn=config antry.

But it has 2 drawbacks:
- the configuration is local to single IPA master - needs to be done on all master which the admin user uses
- cannot be configured in IPA UIs - LDAP mod is needed
Comment 4 Petr Vobornik 2016-11-22 02:59:27 EST
*** Bug 1396639 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.