Once the admin changes the user password, it will expire immediately.
Can we disable this policy?
I didn't believe it's possible to change easily, but how I get around it for service accounts and the like is to change it from the admin side, then login as the service account using the password set from the admin side. Then I change the password as the user, which will then obey whatever password policies are applicable.
On Mon, Jul 1, 2024, 21:10 luckydog xf via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Once the admin changes the user password, it will expire immediately.
Can we disable this policy?
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Thanks.
On Tue, Jul 2, 2024 at 9:12 AM Russell Long kd8fre@gmail.com wrote:
I didn't believe it's possible to change easily, but how I get around it for service accounts and the like is to change it from the admin side, then login as the service account using the password set from the admin side. Then I change the password as the user, which will then obey whatever password policies are applicable.
On Mon, Jul 1, 2024, 21:10 luckydog xf via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Once the admin changes the user password, it will expire immediately.
Can we disable this policy?
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Hi,
Yes, you can bypass the password policy. It's managed by the ipa_pwd_extop plugin. And you can exclude the admin user.
# ipa_pwd_extop.ldif dn: cn=ipa_pwd_extop,cn=plugins,cn=config changetype: modify add: passSyncManagersDNs passSyncManagersDNs: uid=admin,cn=users,cn=accounts,dc=example,dc=com
$ ldapmodify -f ipa_pwd_extop.ldif
You can apply the following query to confirm the result. The admin user will be listed under passSyncManagerDNs. $ ldapsearch -LL -x -D 'cn=Directory Manager' -W -b "cn=ipa_pwd_extop,cn=plugins,cn=config"
You can get more info here; https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html-sin...
Vahit
freeipa-users@lists.fedorahosted.org