Hello All,
so we have some 200 laptops who are ipa-clients.
At the moment the only way for the users on these laptops to reset their passwords is to wait until the password expires. Than they get a message on the login screen and they can reset the password.
I would like to have an alternative method.
Have them login to the Freeipa server is the obvious, but here they see too much information, like all the users.
Is there another way to have users reset their passwords?
Many thanks, J.
Hello Johan,
what about this command :
ipa user-mod --password
Regards
Dirk
Am 10.12.19 um 13:54 schrieb Johan Vermeulen via FreeIPA-users:
Hello All,
so we have some 200 laptops who are ipa-clients.
At the moment the only way for the users on these laptops to reset their passwords is to wait until the password expires. Than they get a message on the login screen and they can reset the password.
I would like to have an alternative method.
Have them login to the Freeipa server is the obvious, but here they see too much information, like all the users.
Is there another way to have users reset their passwords?
Many thanks, J.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
A thought:
If a user logs in to a laptop, then does a "kinit", can they then do a "kpasswd" to update their password ?
______________________________________________________________________________________________
Daniel E. White daniel.e.white@nasa.govmailto:daniel.e.white@nasa.gov NICS Linux Engineer NASA Goddard Space Flight Center 8800 Greenbelt Road Building 14, Room E175 Greenbelt, MD 20771 Office: (301) 286-6919 Mobile: (240) 513-5290
From: Johan Vermeulen via FreeIPA-users freeipa-users@lists.fedorahosted.org Reply-To: FreeIPA users list freeipa-users@lists.fedorahosted.org Date: Tuesday, December 10, 2019 at 07:56 To: FreeIPA users list freeipa-users@lists.fedorahosted.org Cc: Johan Vermeulen jameslast29@gmail.com Subject: [EXTERNAL] [Freeipa-users] have users reset password
Hello All,
so we have some 200 laptops who are ipa-clients.
At the moment the only way for the users on these laptops to reset their passwords is to wait until the password expires. Than they get a message on the login screen and they can reset the password.
I would like to have an alternative method.
Have them login to the Freeipa server is the obvious, but here they see too much information, like all the users.
Is there another way to have users reset their passwords?
Many thanks, J.
White, Daniel E. (GSFC-770.0)[NICS] via FreeIPA-users wrote:
A thought:
If a user logs in to a laptop, then does a "kinit", can they then do a "kpasswd" to update their password ?
That will work. passwd will change the password as well.
rob
*______________________________________________________________________________________________*
**
*Daniel E. White** **daniel.e.white@nasa.gov mailto:daniel.e.white@nasa.gov***
*NICS Linux Engineer NASA Goddard Space Flight Center 8800 Greenbelt Road Building 14, Room E175 Greenbelt, MD 20771***
*Office: (301) 286-6919***
*Mobile: (240) 513-5290*
*From: *Johan Vermeulen via FreeIPA-users freeipa-users@lists.fedorahosted.org *Reply-To: *FreeIPA users list freeipa-users@lists.fedorahosted.org *Date: *Tuesday, December 10, 2019 at 07:56 *To: *FreeIPA users list freeipa-users@lists.fedorahosted.org *Cc: *Johan Vermeulen jameslast29@gmail.com *Subject: *[EXTERNAL] [Freeipa-users] have users reset password
Hello All,
so we have some 200 laptops who are ipa-clients.
At the moment the only way for the users on these laptops to reset their passwords is to wait until the password expires.
Than they get a message on the login screen and they can reset the password.
I would like to have an alternative method.
Have them login to the Freeipa server is the obvious, but here they see too much information, like all the users.
Is there another way to have users reset their passwords?
Many thanks, J.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Hello Rob,
just for my understanding, when kpasswd and passwd change the password of the IPA / IDM User, how notice the IPA/IDM Server the change?
Regards
Dirk
Am 10.12.19 um 15:57 schrieb Rob Crittenden via FreeIPA-users:
White, Daniel E. (GSFC-770.0)[NICS] via FreeIPA-users wrote:
A thought:
If a user logs in to a laptop, then does a "kinit", can they then do a "kpasswd" to update their password ?
That will work. passwd will change the password as well.
rob
*______________________________________________________________________________________________*
**
*Daniel E. White** **daniel.e.white@nasa.gov mailto:daniel.e.white@nasa.gov***
*NICS Linux Engineer NASA Goddard Space Flight Center 8800 Greenbelt Road Building 14, Room E175 Greenbelt, MD 20771***
*Office: (301) 286-6919***
*Mobile: (240) 513-5290*
*From: *Johan Vermeulen via FreeIPA-users freeipa-users@lists.fedorahosted.org *Reply-To: *FreeIPA users list freeipa-users@lists.fedorahosted.org *Date: *Tuesday, December 10, 2019 at 07:56 *To: *FreeIPA users list freeipa-users@lists.fedorahosted.org *Cc: *Johan Vermeulen jameslast29@gmail.com *Subject: *[EXTERNAL] [Freeipa-users] have users reset password
Hello All,
so we have some 200 laptops who are ipa-clients.
At the moment the only way for the users on these laptops to reset their passwords is to wait until the password expires.
Than they get a message on the login screen and they can reset the password.
I would like to have an alternative method.
Have them login to the Freeipa server is the obvious, but here they see too much information, like all the users.
Is there another way to have users reset their passwords?
Many thanks, J.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Dirk Streubel via FreeIPA-users freeipa-users@lists.fedorahosted.org writes:
Hello Rob,
just for my understanding, when kpasswd and passwd change the password of the IPA / IDM User, how notice the IPA/IDM Server the change?
They share a database (LDAP) for storage of that information, so the change happens for both at the same time.
Thanks, --Robbie
Hello Robbie,
thanks a lot for the quick answer.
I was wondering that kpasswsd and passwd change the Password Entry in the 389 Server.
But if it works i will use that way in the future :)
Regards
Dirk
Am 12.12.19 um 20:21 schrieb Robbie Harwood via FreeIPA-users:
Dirk Streubel via FreeIPA-users freeipa-users@lists.fedorahosted.org writes:
Hello Rob,
just for my understanding, when kpasswd and passwd change the password of the IPA / IDM User, how notice the IPA/IDM Server the change?
They share a database (LDAP) for storage of that information, so the change happens for both at the same time.
Thanks, --Robbie
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Dirk Streubel wrote:
Hello Robbie,
thanks a lot for the quick answer.
I was wondering that kpasswsd and passwd change the Password Entry in the 389 Server.
But if it works i will use that way in the future :)
IPA has a plugin in 389-ds that intercepts password changes and synchronizes the userPassword in LDAP, sets the Kerberos keys and optionally can set other passwords as well while it has the cleartext password.
So pretty much any valid method to set a password will work the same way: ldappasswd, ldapmodify, kpasswd, passwd or several ipa commands.
This also enforces password policy in a uniform way.
rob
Regards
Dirk
Am 12.12.19 um 20:21 schrieb Robbie Harwood via FreeIPA-users:
Dirk Streubel via FreeIPA-usersfreeipa-users@lists.fedorahosted.org writes:
Hello Rob,
just for my understanding, when kpasswd and passwd change the password of the IPA / IDM User, how notice the IPA/IDM Server the change?
They share a database (LDAP) for storage of that information, so the change happens for both at the same time.
Thanks, --Robbie
FreeIPA-users mailing list --freeipa-users@lists.fedorahosted.org To unsubscribe send an email tofreeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct:https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Hallo Daniel, hello Dirk,
yes, both commands work. Problem solved I would say. Thank you very much!
Greetings, J.
Op di 10 dec. 2019 om 14:12 schreef White, Daniel E. (GSFC-770.0)[NICS] via FreeIPA-users freeipa-users@lists.fedorahosted.org:
A thought:
If a user logs in to a laptop, then does a "kinit", can they then do a "kpasswd" to update their password ?
*______________________________________________________________________________________________*
*Daniel E. White* *daniel.e.white@nasa.gov daniel.e.white@nasa.gov*
*NICS Linux Engineer NASA Goddard Space Flight Center 8800 Greenbelt Road Building 14, Room E175 Greenbelt, MD 20771*
*Office: (301) 286-6919*
*Mobile: (240) 513-5290*
*From: *Johan Vermeulen via FreeIPA-users < freeipa-users@lists.fedorahosted.org> *Reply-To: *FreeIPA users list freeipa-users@lists.fedorahosted.org *Date: *Tuesday, December 10, 2019 at 07:56 *To: *FreeIPA users list freeipa-users@lists.fedorahosted.org *Cc: *Johan Vermeulen jameslast29@gmail.com *Subject: *[EXTERNAL] [Freeipa-users] have users reset password
Hello All,
so we have some 200 laptops who are ipa-clients.
At the moment the only way for the users on these laptops to reset their passwords is to wait until the password expires.
Than they get a message on the login screen and they can reset the password.
I would like to have an alternative method.
Have them login to the Freeipa server is the obvious, but here they see too much information, like all the users.
Is there another way to have users reset their passwords?
Many thanks, J.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
freeipa-users@lists.fedorahosted.org
-
Dirk Streubel -
Johan Vermeulen -
Rob Crittenden -
Robbie Harwood -
White, Daniel E. (GSFC-770.0)[NICS]