There seem to be two problems with passwords.
When the admin sets an initial password, it does not have to conform to the password policy. I'm guessing that this is by design, but would like that confirmed
Second is that as a user, whatever I type for the password gets rejected due to policy. This happens from the CLI as well as from CURL. Below is the curl attempt.
Results are the same with and without the "kfro" parameter value. I can change the password as the administrator, and then kinit as the kfrog user, which forces a password change. All that works. It is just the ipa passwd as kfrog that is broken.
[ayoung@ipa ~]$ curl -H "Content-Type:application/json" -H "Accept:applicaton/json" -H "Accept-Language:es;q=1.0,en;q=0.5" --negotiate -u : --cacert /etc/ipa/ca.crt -d '{"method":"passwd","params":[["kfrog"],{"password":"3z2bgr33n"}],"id":6}' -X POST https://hostname/ipa/json { "error": { "code": 4203, "kw": { "desc": { "base64": "Q29uc3RyYWludCB2aW9sYXRpb24=" }, "info": { "base64": "UGFzc3dvcmQgRmFpbHMgdG8gbWVldCBtaW5pbXVtIHN0cmVuZ3RoIGNyaXRlcmlh" } }, "message": "Constraint violation:Password Fails to meet minimum strength criteria", "name": { "base64": "RGF0YWJhc2VFcnJvcg==" } }, "id": 6, "result": null }
hostname
Yes, the administrator doesn't have to conform to password policy when resetting a password.
The error message is thrown by 389-ds that your password is too weak. I don't think this is a problem with the password plugin.
No, I get the error regardless of the password I chose. The only policy I have is that it needs to be more than 8 characters:
ipa pwpolicy-show Group: GLOBAL Max lifetime (days): 90 Min lifetime (hours): 1 History size: 0 Character classes: 0 Min length: 8
I submiuted the password: 3z2bgr33n and many others and still got this problem.
Can you verify there is no group-policy for this user? ipa pwpolicy-show --user=kfrog
Also, see if anything is log in dirsrv error log.
[ayoung@ipa ~]$ ipa pwpolicy-show --user kfrog Group: GLOBAL Max lifetime (days): 90 Min lifetime (hours): 1 History size: 0 Character classes: 0 Min length: 8
Nothing appears in /var/log/httpd/error_log
Adam, does the password get rejected if you try to change it using "passwd" or "kpasswd" from a machine configured to use kerb auth ?
Now works:
kinit admin ...
[root@ipa ~]# ipa passwd kfrog password: Enter password again to verify:
[root@ipa ~]# kinit kfrog Password for kfrog@AYOUNG.BOSTON.DEVEL.REDHAT.COM: Password expired. You must change it now. Enter new password: Enter it again: [root@ipa ~]# [root@ipa ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: kfrog@AYOUNG.BOSTON.DEVEL.REDHAT.COM
Valid starting Expires Service principal 10/29/10 10:56:12 10/30/10 10:56:12 krbtgt/AYOUNG.BOSTON.DEVEL.REDHAT.COM@AYOUNG.BOSTON.DEVEL.REDHAT.COM [root@ipa ~]#
Metadata Update from @admiyo: - Issue assigned to simo - Issue set to the milestone: FreeIPA 2.0 - 2010/11
Login to comment on this ticket.