As far as I can tell, password policy is enforced on the client side, not the directory side.
I set up a self-service password reset utility which enforces its own rules and bypasses the IPA password policies. I used this one: http://ltb-project.org <http://ltb-project.org/wiki/> I created a user that had the ability to create passwords, but IIRC there was some setting I had to change so that the passwords created didn't require a change. I'm pretty sure someone in this list told me how, so I'll search and see if I can find it. --Jason On Thu, Sep 26, 2013 at 8:58 AM, Innes, Duncan <[email protected] > wrote: > Sorry, > > > -----Original Message----- > > From: Martin Kosek [mailto:[email protected]] > > Sent: 26 September 2013 14:29 > > To: Innes, Duncan > > Cc: [email protected] > > Subject: Re: [Freeipa-users] Force IPA to accept password? > > > > On 09/26/2013 01:05 PM, Innes, Duncan wrote: > > > Hi, > > > > > > Can I force IPA to accept a new password that I have chosen? > > > > What password do you have in mind? A password of an IPA user? > > > > Yes - for my authentication when SSHing onto a Linux box. > > > > > > > Today I've had to change my password in 2x AD domains and > > > other places according to policy. I've done this. > > > > > > But coming to IPA, I find that I've chosen a "BAD > > > PASSWORD". Without getting into the merits of the AD password > > > policy and the security of the password I've chosen, can I > > > force IPA to accept my new password at all? > > > > Well, without getting into security of the approach, you > > could change the global password policy or group password > > policy so that the new password is > > accepted: > > > > $ ipa pwpolicy-mod --minlength=5 > > > > or > > > > $ ipa pwpolicy-add usergroup --minlength=5 > > > > ... to "fix" whatever failing password policy attribute. > > > > The error comes from a dictionary check I think. AD does as well as far > as I know, but would appear to have a smaller dictionary or looser > rules. > > Kind of what I expected/feared though. I don't want to change the IPA > policy at all, just override it's objection. For now, I went the long > route and changed my IPA password first, then changed the other > passwords > To match what IPA was happy with. > > > HTH, > > Martin > > > > Cheers & thanks for your help > > Duncan > > This message has been checked for viruses and spam by the Virgin Money > email scanning system powered by Messagelabs. > > > > This e-mail is intended to be confidential to the recipient. If you > receive a copy in error, please inform the sender and then delete this > message. > > Virgin Money plc - Registered in England and Wales (Company no. 6952311). > Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL. > Virgin Money plc is authorised by the Prudential Regulation Authority and > regulated by the Financial Conduct Authority and the Prudential Regulation > Authority. > > The following companies also trade as Virgin Money. They are both > authorised and regulated by the Financial Conduct Authority, are registered > in England and Wales and have their registered office at Discovery House, > Whiting Road, Norwich NR4 6EJ: Virgin Money Personal Financial Service > Limited (Company no. 3072766) and Virgin Money Unit Trust Managers Limited > (Company no. 3000482). > > For further details of Virgin Money group companies please visit our > website at virginmoney.com > > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users > -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
