Applying password policy automatically on every user

Latest response

After spending so many hours trying to find a better method to apply a password policy, there is my case.

We are trying to setting up a password policy (never configured before) on a subtree under RH directory server.

Once the policy has been configured, after the user change its password, the necessary fields are created automatically.

Do you know if there is any procedure to apply policies automatically on every register on OU, without forcing users to change its password manually?

Thanks in advance.

Best Regards.


Your question isn't entirely clear: are you asking if there's a way to determine whether existing user-passwords conform to your new policies and then only force those that aren't compliant to change to a compliant password?

I believe he is asking if changes to a password policy are applied retroactively to passwords set under a previous iteration of the password policy.

My understanding is that such changes are NOT applied retroactively. In order for a user's password to conform to the new iteration of the password policy, it must be set again after the changes have been implemented.

I will caveat that this has been my experience with IPA specifically; RHDS may treat password policies differently, although I suspect they both behave similarly with regard to password policies.

It would be A Bad Thing™ if authentication systems could scan their credential databases to tell "this stored password is non-conformant". Most typically, what it would mean is that the passwords are stored in either clear-text or a trivially obfuscated/"encrypted" format (e.g., rot13).

Assuming they weren't so stored, the ability to evaluate all of the stored password for conformance would mean you had a tool that was able to crack all those passwords in exceedingly-close proximity to those stored passwords. That, too, would be A Bad Thing™ (especially in light of things like MELTDOWN/SPECTRE or more-easily exploited equivalent weaknesses).

The closest you could get without going to far into the Bad Thing™ realm would be injecting an analyzer into the authentication exchange. You could analyze what the authenticating user typed in and, if it was non-conformant, ëither set a login message saying "non-conformant password: please change" or add another link in the auth-chain to force it.

Still, the best is probably to issue a realm-wide password-expiry so that anyone attempting to login, afterwards, is forced to change to something conformant.

Hi Thomas Jones and Russell Goldberg

sorry for the delay i was busy with a lot of work, thanks you both for the answers. understood, there's no way to automatically apply policy over OU without forcing users to changer their password. The last test we did, was activate check box user must change password after reset with the new policy setting.

But the user wasn't been asked to change its password, i don't know if it is related to user validation it's through an application and not from systems inside domain.

Thanks in advance.

Best Regards.

We don't use RHDS (just native AD) at my customer sites, so can't speak to clients of RHDS. That said, I know that my customers have had issues around:

  • Getting "need to reset password" notices on login when setting the must-change flag at the domain
  • Having the domain properly record that users have authenticated within 'X' days if they've only logged in via an RH client (which they use to flag unused accounts for disablement).

Mostly offering the above as anecdotal information around the passing of information (e.g., the "must change" flag) between directory source and directory client.