#5763 IPA does not provide a method for creating new users with a non-expired password
Opened 3 years ago by pvoborni. Modified 2 years ago

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1317060

Description of problem:
When an admin creates a new user in IPA, the password for that user is
immediately expired.  Similarly, when an admin resets a user password, that
password is immediately expired.  This forces the user to change their own
password.  The rationale for this behavior is well documented at
http://www.freeipa.org/page/New_Passwords_Expired.

However - an admin may also create a user representing an application or
service, such that the password the admin sets is expected to work for the
application.  Currently, the admin is required to change the password, as the
user, after setting it initially.  This represents an unnecessary set of steps.

This request is to provide a mechanism for "ipa user-add", "ipa passwd", and
the Web UI to allow a newly created user to be given a password that does not
immediately expire, for use by applications.

Version-Release number of selected component (if applicable):
All

How reproducible:
Feature does not currently exist.

Steps to Reproduce:
1.  Create new user or change password of exisitng user as admin.
2.  Authentication as new user
3.  Note that user is forced to change password.

Actual results:
Admin has no option to avoid having to change password.

Expected results:
Admin should have an option to allow new users without forced password change.

Additional info:
Discussion on internal mailing lists 2015-03-10.

{{{

  • Christian: I could use something similar for FreeIPA community portal. I've experimented with a new changetype for ipa-pwd-extop plugin
  • IPA_CHANGETYPE_DELEGATE with passwordDelegatesDNs setting in plugin configuration bind DNs in passwordDelegatesDNs don't set expiration but still have to obey other password policies
  • write access is controlled by ACI
  • ab: we shouldn't go this way

devel mtg:
ab: we need to introduce a policy which applies to a certain group of user(who are originators of the request)
ab: make pw plugin to follow the policy

Metadata Update from @pvoborni:
- Issue assigned to someone
- Issue set to the milestone: Future Releases

2 years ago

Login to comment on this ticket.

Metadata