Joshua J. Kugler wrote:
I have read this page http://www.freeipa.org/page/New_Passwords_Expired
Aside from the fact that the decision should have been left to the company and
their policies, and violates the tenant that software should have sane
defaults while leaving flexibility to the user, I'm wondering if you can help
me.
We have a situation where the passwords in FreeIPA need to be synchronized
with another system in the company (a database of users, which is the
authoritative source for users and passwords). But, from what I read, the
documentation is telling me we can't do that, because if we followed this work
flow:
1. Users goes to "master DB" and changes their password
2. master DB runs a script which sets password on FreeIPA system
3. User's login is now broken because the password is expired.
It is really unfortunate that this design decision was made, because
1. It prevents FreeIPA from being integrated with existing systems (telling
people, effectively, you have to use FreeIPA for EVERYTHING or you can't use us
at all)
2. It doesn't really improve security as claimed, because if the user's new
password is intercepted, the interceptor can use that password to login and
change the expired password, still giving access.
Is there a way around this? Is there a password synchronization protocol that
can be used to link up systems that need to have common logins?
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Windows_Integration_Guide/index.html#password-sync
rob
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
