On 8/13/20 1:51 AM, Dario García Díaz-Miguel wrote:
> I can change all the time the password of the principal with that policy
> applied despite the minimum password life described.
That's true. The kadmin server code deliberately only checks the
minimum life if a principal is changing its own password.
> Also I'm able to apply old passwords and the history is not being respected,
> but I'm afraid that's the expected behavior because of the LDAP database
> module.
Right, LDAP password history is implemented in release 1.15 but not in 1.12.
> I understand that cpw is more like the administration password changing tool
> and in order to be able to change the password whenever it requires by the
> system administrator, the minimum password life is not being applied.
> But then, Any ideas about how could we proceed?
I guess you could print a kadmin ticket for the user from the KDB and
then authenticate with it:
kinit -k -c somefilename -t KDB: -S kadmin/admin username
kadmin -c somefilename -q "cpw -pw password username"
kinit -t KDB: support was added in release 1.9, so should be available.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
