Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Freeipa krbPasswordExpiration #792

Open
purisev opened this issue Aug 3, 2023 · 4 comments
Open

Freeipa krbPasswordExpiration #792

purisev opened this issue Aug 3, 2023 · 4 comments
Labels
enhancement
Milestone
Backlog

Comments

@purisev
Copy link

purisev commented Aug 3, 2023

Hello.
Have an installation of utility with combination of Freeipa.
So, when user change password it is always expired.
Expiration of passwords checks with user attribute called krbPasswordExpiration.
It looks like: krbPasswordExpiration: 20230803122541Z
Can you add please in config analog of shadowExpire for FreeIPA users to change krbPasswordExpiration attribute with a preset value in days ?
Thank you.
@coudot coudot added this to the Backlog milestone Aug 16, 2023
@andyfsimon
Copy link

andyfsimon commented Oct 23, 2024
edited
Loading

Same here - we would like to implement this to allow our IPA users to reset their password (and to set it for the first time) but it's kind of silly that they have to come up with two valid passwords each time.
Also, this is not really an enhancement but actually an unexpected behaviour.

@andyfsimon
Copy link

For the time being, I resolved by allowing the password reset user ("manager") to not force a password change upon the next login, as described here:
https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/managing_idm_users_groups_hosts_and_access_control_rules/managing-user-passwords-in-idm_managing-users-groups-hosts#enabling-password-reset-in-idm-without-prompting-the-user-for-a-password-change-at-the-next-login_managing-user-passwords-in-idm

@coudot
Copy link
Member

coudot commented Oct 24, 2024
edited
Loading

Waiting for an official option in SSP, you can for now use a posthook:
https://self-service-password.readthedocs.io/en/stable/config_preposthook.html

Just create a small script that will update krbPasswordExpiration with current date

For the official feature, you're welcome to propose a contribution, or contact us directly to help financing the development.

@andyfsimon
Copy link

Indeed! That was my initial attempt and while searching how I could do just that I ran into the Red Hat documentation above. Bear in mind, for IPA it only applies when you use the "manager" account (as in the case of reset password) because the "user" will update just fine and not trigger the expiry.

Thing is, if I understand correctly, krbPasswordExpiration should be updated with the date of the next expiration (so we would likely also need to check what is the policy applying in IPA for that user) - then assuming the host running SSP is able to run ipa commands, it should be doable by using the "manager" account in the script as well.

As for integrating in SSP itself, I am unsure whether we can come up with an "update_ipa_expiry = true" or "ipa_chpw_at_next_login = false" fields, but will see whether I can come up with something, but php ain't my daily driver, unfortunately! Is FreeIPA a common occurrence among your users?

But while we're at it: thank you for your work.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
Backlog
Development

No branches or pull requests
3 participants
@coudot @andyfsimon @purisev