Add --password-expiration to allow an admin to force a password change #621
Conversation
redhatrises
commented
Mar 18, 2017
•
redhatrises
commented
- Allows an admin to easily force a user to expire their password forcing them to change it.
|
I would prefer this to be an option in |
|
@abbra why not have it in both |
|
Hm. |
|
I don't agree. There should be one and only one obvious way to do it. There is no real benefit in having this in multiple different places, it just adds unnecessary complexity. Let's not repeat mistakes of the past, put this solely into |
|
Actually, maybe |
|
Okay, so since it will reside in one location, should it be |
|
Ok, let's go with LGTM. |
|
I have given this some thought over the night - maybe we should make the option more generic and allow the user to specify the expiration time rather than special case it for "now" time, i.e. |
|
@HonzaCholasta that's an interesting idea. Most of the time, a password reset is forced immediately, but that does provide more flexibility. I assume that the datetime input should match the |
|
@redhatrises, do not handle the format yourself, use the |
redhatrises
force-pushed
the
force_password_reset
branch
from
5916353
to
78377d8
Compare
ipalib/parameters.py
Outdated
| pass | ||
| if value == u'now': | ||
| time = datetime.datetime.strptime(strftime("%Y%m%d%H%M%SZ", gmtime()), "%Y%m%d%H%M%SZ") | ||
| return time |
There was a problem hiding this comment.
Please use datetime.utctime().
redhatrises
force-pushed
the
force_password_reset
branch
from
78377d8
to
c773399
Compare
redhatrises
changed the title
|
@HonzaCholasta used |
|
@redhatrises, |
Oh good. Ready for your review. |
|
The Please update the "Admin can manage any entry" ACI in |
redhatrises
force-pushed
the
force_password_reset
branch
from
c773399
to
92126da
Compare
|
@HonzaCholasta updated "Admins can write passwords" ACI to contain 'krbPasswordExpiration' as the "Admin can manage any entry" ACI already had 'krbPasswordExpiration' added. |
VERSION.m4
Outdated
| @@ -74,7 +74,7 @@ define(IPA_DATA_VERSION, 20100614120000) | |||
| ######################################################## | |||
| define(IPA_API_VERSION_MAJOR, 2) | |||
| define(IPA_API_VERSION_MINOR, 224) | |||
There was a problem hiding this comment.
Bump minor version please
install/updates/20-aci.update
Outdated
| @@ -54,7 +54,7 @@ remove:aci:(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || | |||
| add:aci:(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbPasswordExpiration || krbPwdHistory || krbLastPwdChange || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || ipaUniqueId || memberOf || enrolledBy || ipaNTHash || ipaProtectedOperation")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) | |||
| # Write-only | |||
| remove:aci:(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) | |||
| add:aci:(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) | |||
There was a problem hiding this comment.
Please leave the original ACI there, just replace s/add/remove/ to avoid unholy mess with multiple ACIs (and keep the new one there as well :) )
There was a problem hiding this comment.
@MartinBasti not sure I fully understand you correctly, but set the original ACI to remove and added a new ACI one.
There was a problem hiding this comment.
yes, add rule to remove current one from LDAP
redhatrises
force-pushed
the
force_password_reset
branch
from
92126da
to
e0f3075
Compare
|
@redhatrises, the "Admin can manage any entry" ACI in fact contains a blacklist of attributes which admins aren't allowed to write. To actually fix the issue you must also remove |
…ation - Allows an admin to easily force a user to expire their password forcing the user to change it immediately or at a specified time in the future
redhatrises
force-pushed
the
force_password_reset
branch
from
e0f3075
to
c9e5553
Compare
|
@HonzaCholasta I also removed |
|
Works for me. Thanks! |
|
master:
|
| @@ -351,7 +351,7 @@ aci: (targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts | |||
| dn: cn=users,cn=accounts,dc=ipa,dc=example | |||
| aci: (targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Add Users";allow (add) groupdn = "ldap:///cn=System: Add Users,cn=permissions,cn=pbac,dc=ipa,dc=example";) | |||
| dn: cn=users,cn=accounts,dc=ipa,dc=example | |||
| aci: (targetattr = "krbprincipalkey || passwordhistory || sambalmpassword || sambantpassword || userpassword")(targetfilter = "(&(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=ipa,dc=example))(objectclass=posixaccount))")(version 3.0;acl "permission:System: Change User password";allow (write) groupdn = "ldap:///cn=System: Change User password,cn=permissions,cn=pbac,dc=ipa,dc=example";) | |||
| aci: (targetattr = "krbpasswordexpiration || krbprincipalkey || passwordhistory || sambalmpassword || sambantpassword || userpassword")(targetfilter = "(&(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=ipa,dc=example))(objectclass=posixaccount))")(version 3.0;acl "permission:System: Change User password";allow (write) groupdn = "ldap:///cn=System: Change User password,cn=permissions,cn=pbac,dc=ipa,dc=example";) | |||
There was a problem hiding this comment.
Why do you need to add krbpasswordexpiration to the change user password option ?
I think it should be a separate (higher privileged permission) to tamper with password expirations.
Frontline helpdesk may be allowed to change a user password, but they are not allowed to change expiration for example.
| @@ -261,7 +261,7 @@ class user(baseuser): | |||
| ], | |||
| 'ipapermdefaultattr': { | |||
| 'krbprincipalkey', 'passwordhistory', 'sambalmpassword', | |||
| 'sambantpassword', 'userpassword' | |||
| 'sambantpassword', 'userpassword', 'krbpasswordexpiration' | |||
