RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1317060 - [RFE] Add option for new/reset passwords not to expire for IDM users
Summary: [RFE] Add option for new/reset passwords not to expire for IDM users
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.2
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Kaleem
: 1396639 (view as bug list)
Depends On:
TreeView+ depends on / blocked
Reported: 2016-03-11 20:29 UTC by Matt Smith
Modified: 2020-12-11 12:06 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2019-06-22 18:07:14 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description Matt Smith 2016-03-11 20:29:36 UTC
Description of problem:
When an admin creates a new user in IPA, the password for that user is immediately expired.  Similarly, when an admin resets a user password, that password is immediately expired.  This forces the user to change their own password.  The rationale for this behavior is well documented at http://www.freeipa.org/page/New_Passwords_Expired.

However - an admin may also create a user representing an application or service, such that the password the admin sets is expected to work for the application.  Currently, the admin is required to change the password, as the user, after setting it initially.  This represents an unnecessary set of steps.

This request is to provide a mechanism for "ipa user-add", "ipa passwd", and the Web UI to allow a newly created user to be given a password that does not immediately expire, for use by applications.

Version-Release number of selected component (if applicable):

How reproducible:
Feature does not currently exist.

Steps to Reproduce:
1.  Create new user or change password of exisitng user as admin.
2.  Authentication as new user
3.  Note that user is forced to change password.

Actual results:
Admin has no option to avoid having to change password.

Expected results:
Admin should have an option to allow new users without forced password change.

Additional info:
Discussion on internal mailing lists 2015-03-10.

Comment 2 Petr Vobornik 2016-03-24 19:16:03 UTC
Upstream ticket:

Comment 3 Petr Vobornik 2016-11-22 07:55:17 UTC
Possible solution is: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/pass-sync.html#password-sync 

I.e. add admin user to passSyncManagersDNs attr of cn=ipa_pwd_extop,cn=plugins,cn=config antry.

But it has 2 drawbacks:
- the configuration is local to single IPA master - needs to be done on all master which the admin user uses
- cannot be configured in IPA UIs - LDAP mod is needed

Comment 4 Petr Vobornik 2016-11-22 07:59:27 UTC
*** Bug 1396639 has been marked as a duplicate of this bug. ***

Comment 6 Reartes Guillermo 2017-12-27 12:14:30 UTC

What about adding a parameter to the REST API that permits being able to change the password without the password being expired?

I am using IdM as external authentication with CloudForms and the user (which will never have direct access to IdM) will change its password via Dialog (using REST API).

While i can change the password via REST API, it is EXPIRED, so one cannot login back to CloudForms after one changes the password via REST API.
This is not optimal.

Thanks in advance.

Comment 7 Rob Crittenden 2018-01-02 16:53:57 UTC
(In reply to Reartes Guillermo from comment #6)

In your case you are likely using a bind user to connect to IPA so you can use passSyncManagersDNs to avoid marking the passwords as reset as documented at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/identity_management_guide/pass-sync

Comment 8 Matt Smith 2018-01-02 17:35:15 UTC
@Rob (and @Petr, whose earlier post I missed)

I don't think passSyncManagersDNs will satisfy the initial request, if I understand the impact of passSyncManagersDNs correctly.  Though it may satisfy comment #6.

If I am an IPA admin, I need to do two things:
- Occasionally reset a user's password -- a password change should be required on next login
- Create service/application accounts for applications that need to bind to LDAP -- no password change should be forced

It looks like if I add my account to the passSyncManagersDNs attribute, that I will no longer be forcing users to change their password on next login.

To meet the need I originally posted, I believe we'd need some toggleable option (flag to the ipa command line and REST API, checkbox in the UI) available during password change operation that specifies "Require password change on next login".

Comment 9 Rob Crittenden 2018-01-02 18:28:44 UTC
(In reply to Matt Smith from comment #8)

Agreed, my proposal does not satisfy the initial request which is why I replied to the latest comment. passSyncManagersDNs is only applicable when using a single account to externally manage password entries.

Comment 10 Amy Farley 2019-06-22 18:07:14 UTC
I am going to push this to the upstream bz

Upstream ticket:

Currently, there is not a way in kerberos to handle this, when it moves to the 64 bit timestamp (will be required in 2027), it may be possible to do.

Setting this to CLOSED UPSTREAM

Note You need to log in before you can comment on or make changes to this bug.