Hi Anton, maybe you can "talk" directly to ds: http://directory.fedoraproject.org/docs/389ds/FAQ/password-syntax.html regards,
--- Ernedin ZAJKO eza...@root.ba > 340282366920938463463374607431768211456 On Thu, Oct 13, 2016 at 1:53 AM, Anon Lister <listera...@gmail.com> wrote: > Unfortunately, policy and regulation often lag behind current theory by > several decades. For what it's worth, I'd second being able to set more > complicated policies as a useful feature. > > > On Oct 12, 2016 6:38 PM, "Simpson Lachlan" <lachlan.simp...@petermac.org> > wrote: >> >> > -----Original Message----- >> > From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- >> > boun...@redhat.com] On Behalf Of Bennett, Chip >> > Sent: Thursday, 13 October 2016 7:21 AM >> > To: Florence Blanc-Renaud; freeipa-users@redhat.com >> > Subject: Re: [Freeipa-users] Password Complexity Requirements Seems >> > Insufficient >> > >> > Flo, >> > >> > Thanks for getting back to me. I had seen this in the documentation. >> > I was just >> > hoping that I was missing something. I guess I'm just surprised that a >> > product >> > designed to manage authentication wouldn't have a way to be more >> > specific in the >> > complexity requirements. >> >> >> I don't know. Those type of complexity requirements are multifaceted, >> complex and somewhat arbitrary. Given that each then requires regex, I'm >> quite happy that the devs focus on getting other aspects of FreeIPA to work >> over password complexity. >> >> As xkcd noted a couple of years ago, password length is better for >> security than anything else. >> >> Complex arrangements of different character classes is neither human or UX >> friendly nor where contemporary security theory is focused - try 2FA, >> public/private keys, etc. While I understand that large organisations have >> policy that often drags well behind contemporary theory, I don't think it's >> fair to expect software to also allow for that. >> >> Cheers >> L. >> >> >> >> >> >> >> > >> > Thanks again! >> > Chip >> > >> > -----Original Message----- >> > From: Florence Blanc-Renaud [mailto:f...@redhat.com] >> > Sent: Wednesday, October 12, 2016 3:18 PM >> > To: Bennett, Chip <cbenn...@ftdi.com>; freeipa-users@redhat.com >> > Subject: Re: [Freeipa-users] Password Complexity Requirements Seems >> > Insufficient >> > >> > On 10/11/2016 07:36 PM, Bennett, Chip wrote: >> > > I just joined this list, so if this question has been asked before >> > > (and I'll bet it has), I apologize in advance. >> > > >> > > >> > > >> > > A google search was unrevealing, so I'm asking here: we're running >> > > FreeIPA Version 3.0.0 on CentOS 6.6. It looks like the password >> > > complexity requirements are limited to setting the number of character >> > > classes to require, i.e. setting it to "2" would require your new >> > > password to be any two of the character classes. >> > > >> > > >> > > >> > > What if you wanted new passwords to meet specific class requirements, >> > > i.e. a mix of UL, LC, and numbers. It looks like you would use a >> > > value of "3" to accomplish this, but that would also allow UC, LC, and >> > > special, or LC, numbers, and special, but you don't want to allow the >> > > those: how would you specify that? >> > > >> > Hi, >> > >> > as far as I know, it is only possible to specify the number of different >> > character >> > classes. The doc chapter "Creating Password Policies in the Web UI" [1] >> > describes >> > the following: >> > --- >> > Character classes sets the number of different categories of character >> > that must be >> > used in the password. This does not set which classes must be used; it >> > sets the >> > number of different (unspecified) classes which must be used in a >> > password. For >> > example, a character class can be a number, special character, or >> > capital; the >> > complete list of categories is in Table 22.1, "Password Policy >> > Settings". This is part >> > of setting the complexity requirements. >> > --- >> > >> > hope this clarifies, >> > Flo >> > >> > [1] >> > https://access.redhat.com/documentation/en- >> > >> > US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_ >> > >> > Policy_Guide/Setting_Different_Password_Policies_for_Different_User_Groups.ht >> > ml#creating-group-policy-ui >> > >> > >> > > >> > > >> > > Also, what if you had a requirement for more than one of the character >> > > classes, i.e. you want to require two UC characters or two special >> > > characters? >> > > >> > > >> > > >> > > Thanks in advance for the help, >> > > >> > > Chip Bennett >> > > >> > > >> > > >> > > >> > > This message is solely for the intended recipient(s) and may contain >> > > confidential and privileged information. Any unauthorized review, use, >> > > disclosure or distribution is prohibited. >> > > >> > > >> > >> > >> > This message is solely for the intended recipient(s) and may contain >> > confidential >> > and privileged information. >> > Any unauthorized review, use, disclosure or distribution is prohibited. >> > >> > -- >> > Manage your subscription for the Freeipa-users mailing list: >> > https://www.redhat.com/mailman/listinfo/freeipa-users >> > Go to http://freeipa.org for more info on the project >> This email (including any attachments or links) may contain >> confidential and/or legally privileged information and is >> intended only to be read or used by the addressee. If you >> are not the intended addressee, any use, distribution, >> disclosure or copying of this email is strictly >> prohibited. >> Confidentiality and legal privilege attached to this email >> (including any attachments) are not waived or lost by >> reason of its mistaken delivery to you. >> If you have received this email in error, please delete it >> and notify us immediately by telephone or email. Peter >> MacCallum Cancer Centre provides no guarantee that this >> transmission is free of virus or that it has not been >> intercepted or altered and will not be liable for any delay >> in its receipt. >> >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project