I have set up a FreeIPA server. I am facing an issue which is password is expired when a user is first created. So a new user should always set his password when he logs in for the first time which is defined in here. but I don't want this feature.
I am using this library to create or add user in FreeIPA.
So, I connect with FreeIPA like this-
private function getIPA()
{
$host = env('FREEIPA_HOST', 'cloud-host-ipa.com');
$certificate = database_path(env('FREEIPA_CERTIFICATE', 'ca.crt'));
try {
return new \FreeIPA\APIAccess\Main($host, $certificate);
} catch (Exception $e) {
throw new \ErrorException("Error {$e->getCode()}: {$e->getMessage()}");
return false;
}
}
private function getIPAConnection() //Ged authinticated admin IPA connection
{
$ipa = $this->getIPA();
try {
$auth = $ipa->connection()->authenticate(env('FREEIPA_ADMIN_NAME', 'oc-ipa-connector'), env('FREEIPA_ADMIN_PASS', 'ADMIN_PASS'));
if ($auth) {
return $ipa;
} else {
$auth_info = $ipa->connection()->getAuthenticationInfo();
$auth_info = implode(' ', $auth_info);
throw new \ErrorException("\nLogin Failed : {$auth_info}");
//return false;
}
} catch (Exception $e) {
throw new \ErrorException("\nError {$e->getCode()}: {$e->getMessage()}");
//return false;
}
}
Then add a user like this-
$ipa = $this->getIPAConnection();
try {
$new_user_data = array(
'givenname' => $givenname,
'sn' => $sn,
'uid' => $uid,
//'userpassword' => $_POST["userpassword"],
'mail' => $mail,
'mobile' => $phone
);
$add_user = $ipa->user()->add($new_user_data);
if ($add_user) {
return true;
}
} catch (Exception $e) {
throw new \ErrorException("Error {$e->getCode()}: {$e->getMessage()}");
return false;
}
This code works fine and user is added.
Then I am setting password with this code-
$ipa = $this->getIPAConnection();
try {
$user_info = $ipa->user()->get($uid);
if($user_info != false)
{
try {
$new_user_data = array(
'userpassword' => $password,
);
$mod_user = $ipa->user()->modify($uid, $new_user_data);
if ($mod_user) {
return true;
}
else
{
return false;
}
} catch (Exception $e) {
throw new \ErrorException("Error {$e->getCode()}: {$e->getMessage()}");
}
}
} catch (Exception $e) {
throw new \ErrorException("Error {$e->getCode()}: {$e->getMessage()}");
}
Password is also set perfectly. But the set password is expired automatically just after it is set.
I want my users to have this password for at least 1 week. So, I want to disable this feature. Is there any practical way?
I have created this issue in FreeIPA to provide us with a workaround, but the issue is closed and marked as - Closed: wontfix . So, I wonder if there exists a workaround?
The answer was provided in the link https://www.redhat.com/archives/freeipa-users/2012-June/msg00360.html.
There is a global policy for passwords that you can see from the command below:
[server]$ ipa pwpolicy-show
Group: global_policy
Max lifetime (days): 90
Min lifetime (hours): 1
History size: 0
Character classes: 0
Min length: 8
Max failures: 6
Failure reset interval: 60
Lockout duration: 600
You can create a new policy override for the group to which you are adding the user by running the command:
[server]$ ipa pwpolicy-add sysadmin --minlife=0
Priority: 50
Group: sysadmin
Min lifetime (hours): 0
Priority: 50
Now this policy overrides the global password policy and creates a policy just for the group.
If you want to modify the global policy, you can do the same with the command:
[server]$ ipa pwpolicy-mod global_policy --minlife=0
Group: global_policy
Max lifetime (days): 90
Min lifetime (hours): 0
History size: 0
Character classes: 0
Min length: 8
Max failures: 6
Failure reset interval: 60
Lockout duration: 600
Note the change in Min lifetime(hours) to 0 which causes password to never expire.
After you create the user you need to run this code from a script in the server:
echo -e $PASSWORD\n$PASSWORD\n$PASSWORD | kinit $username
kdestroy
Note that you need to send PASSWORD and username as parameters to the script and execute this script remotely.