Add new ipa passwd-generate command #403
Conversation
| ) | ||
|
|
||
| def execute(self, *keys, **options): | ||
| pwd_length = options.get('length') |
There was a problem hiding this comment.
You can set default value in get function itself.
options.get('entropy', 0)
There was a problem hiding this comment.
Both are wrong approaches. Any subclass of Param has a default argument for such cases.
| numbers = options.get('digits') | ||
| schar = options.get('special') | ||
|
|
||
| if not pwd_length: |
There was a problem hiding this comment.
if get with default value is used then this block of code is not required.
| @@ -147,3 +148,78 @@ def execute(self, principal, password, current_password, **options): | |||
| result=True, | |||
| value=principal, | |||
| ) | |||
|
|
|||
There was a problem hiding this comment.
Adding an example of 'how-to-use` will help user.
|
Hello and thank you for the contribution! However, I do not see what's in this for us. I do not think FreeIPA is intended to be used as a password generator. There are other tools that do this just right, |
Adds new `ipa passwd-generate` command which has the ability to create complex passwords using the refactored ipa_generate_password function which is useful for deriving secure passwords for system/service accounts rather than relying on system administrators to come up with their own form of password.
|
@redhatrises, could you please explain more why you need this command as it is? FreeIPA allows to have multiple password policies. If you want to generate passwords that conform to a particular policy, it would be more reasonable to retrieve the password policy and use it to supply as arguments of the password generator. The generated password does not need to be transferred over the network. As you are adding a command to IPA, it could be a client-side plugin because Python client side code always has access to ipapython.util module. There could be multiple password generators. For example, on Linux systems you can simply use If the password generation is based on a particular policy and is moved to the client side, why not creating a plugin to ipa-advise instead? It would actually generate a script that calls pwqgen or other generator tool. This would be more useful to other environments as the script would also contain a reference to the password policy parameters and can be run independent of the FreeIPA infrastructure. Let me know what do you think about it. |
|
Sorry for the delayed response. Been a little ill, so hopefully this makes sense. This is useful for environments where utilities like However, the final iteration of this (which I have not added yet) is to add |
|
Sorry for another delay too. We have discussed this proposal again and would like to have an ipa-advise implementation instead of IPA CLI command. There are multiple reasons for this:
Thus, we'd still prefer to use 'ipa-advise' plugin approach. A script that 'ipa-advise' would generate, can be run on any machine. If it couldn't be run on the target machine, it can always be run on an IPA client. An important part of this solution is that 'ipa-advise' plugins can be run with administrative privileges (ipa-advise is always run as root) and thus can read password policy settings for a specific user (or a specific password policy). |
|
Thanks @abbra The command would have been |
This PR adds a new command line option
ipa passwd-generatethat uses the refactoredipa_password_generate()function. This is useful for generating secure passwords for service and system accounts or passwords for applications that may not be able to handle all character types. This could also be useful in the future for generating a temporary password for any portal efforts.