Re: 389 + sssd: Give user information about 389 server password policy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Directory Server has its own internal password policy that it manages itself.  It does not communicate with other services.  389's password policy does say why it rejects passwords.  But in IPA deployments IPA also has its own unique password policy plugin, and it does NOT use 389's password policy. 

On 6/19/20 5:10 AM, Nicolas Martin wrote:
Hello,

I enabled password complexity constraints, password history and password expiration (1 days min, 70 days max).

When I use the command passwd to change a user's password, I get the error message:

Password change failed. Server message: Failed to update password

passwd: Authentication token is no longer valid; new one required

This is not how 389 responds to invalid passwords, so this must be how sssd/ipa responds to invalid passwords.

In the following cases:

Password was changed less than a days ago

Password does not match complexity constraints

Password is already in history

My question: would it be possible to give better information to the user ? To let him know that his password is not matching constraints, already in history or changed recently ?

I realize that some of this is related to sssd/pam, but I'd like to know if 389 server is at least able to tell this to sssd/pam.

Like I said sssd/pam do not use 389's password policies, so I would ask this question on freeipa-users@xxxxxxxxxxxxxxxxxxxxxx

HTH,

Mark

Thanks,

Nicolas Martin



_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx

-- 

389 Directory Server Development Team
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux