Applying password policy automatically on every user
After spending so many hours trying to find a better method to apply a password policy, there is my case.
We are trying to setting up a password policy (never configured before) on a subtree under RH directory server.
Once the policy has been configured, after the user change its password, the necessary fields are created automatically.
Do you know if there is any procedure to apply policies automatically on every register on OU, without forcing users to change its password manually?
Thanks in advance.
Best Regards.
Responses
I believe he is asking if changes to a password policy are applied retroactively to passwords set under a previous iteration of the password policy.
My understanding is that such changes are NOT applied retroactively. In order for a user's password to conform to the new iteration of the password policy, it must be set again after the changes have been implemented.
I will caveat that this has been my experience with IPA specifically; RHDS may treat password policies differently, although I suspect they both behave similarly with regard to password policies.
It would be A Bad Thing™ if authentication systems could scan their credential databases to tell "this stored password is non-conformant". Most typically, what it would mean is that the passwords are stored in either clear-text or a trivially obfuscated/"encrypted" format (e.g., rot13).
Assuming they weren't so stored, the ability to evaluate all of the stored password for conformance would mean you had a tool that was able to crack all those passwords in exceedingly-close proximity to those stored passwords. That, too, would be A Bad Thing™ (especially in light of things like MELTDOWN/SPECTRE or more-easily exploited equivalent weaknesses).
The closest you could get without going to far into the Bad Thing™ realm would be injecting an analyzer into the authentication exchange. You could analyze what the authenticating user typed in and, if it was non-conformant, ëither set a login message saying "non-conformant password: please change" or add another link in the auth-chain to force it.
Still, the best is probably to issue a realm-wide password-expiry so that anyone attempting to login, afterwards, is forced to change to something conformant.
We don't use RHDS (just native AD) at my customer sites, so can't speak to clients of RHDS. That said, I know that my customers have had issues around:
- Getting "need to reset password" notices on login when setting the must-change flag at the domain
- Having the domain properly record that users have authenticated within 'X' days if they've only logged in via an RH client (which they use to flag unused accounts for disablement).
Mostly offering the above as anecdotal information around the passing of information (e.g., the "must change" flag) between directory source and directory client.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
