Chapter 22. User Authentication

This chapter describes managing user authentication mechanisms, including information on how to manage users' passwords, SSH keys, and certificates, or how to configure one-time password (OTP) and smart-card authentication.

Note

For documentation on how to log in to Identity Management (IdM) using Kerberos, see Chapter 5, The Basics of Managing the IdM Server and Services.

22.1. User Passwords

22.1.1. Changing and Resetting User Passwords

Regular users without the permission to change other users' passwords can change only their own personal password. Personal passwords changed in this way:
Administrators and users with password change rights can set initial passwords for new users and reset passwords for existing users. Passwords changed in this way:

Note

The LDAP Directory Manager (DM) user can change user passwords using LDAP tools. The new password can override any IdM password policies. Passwords set by DM do not expire after the first login.

22.1.1.1. Web UI: Changing Your Own Personal Password

  1. In the top right corner, click User nameChange password.
    Resetting Password

    Figure 22.1. Resetting Password

  2. Enter the new password.

22.1.1.2. Web UI: Resetting Another User's Password

  1. Select IdentityUsers.
  2. Click the name of the user to edit.
  3. Click ActionsReset password.
    Resetting Password

    Figure 22.2. Resetting Password

  4. Enter the new password, and click Reset Password.
    Confirming New Password

    Figure 22.3. Confirming New Password

22.1.1.3. Command Line: Changing or Resetting Another User's Password

To change your own personal password or to change or reset another user's password, add the --password option to the ipa user-mod command. The command will prompt you for the new password.
$ ipa user-mod user --password
Password:
Enter Password again to verify:
--------------------
Modified user "user"
--------------------
...

22.1.2. Enabling Password Reset Without Prompting for a Password Change at the Next Login

By default, when an administrator resets another user's password, the password expires after the first successful login. See Section 22.1.1, “Changing and Resetting User Passwords” for details.
To ensure that passwords set by administrators do not expire when used for the first time, make these changes on every Identity Management server in the domain:
  • Edit the password synchronization entry: cn=ipa_pwd_extop,cn=plugins,cn=config.
  • Specify the administrative user accounts in the passSyncManagersDNs attribute. The attribute is multi-valued.
For example, to specify the admin user by using the ldapmodify utility:
$ ldapmodify -x -D "cn=Directory Manager" -W -h ldap.example.com -p 389

dn: cn=ipa_pwd_extop,cn=plugins,cn=config
changetype: modify
add: passSyncManagersDNs
passSyncManagersDNs: uid=admin,cn=users,cn=accounts,dc=example,dc=com

Warning

Specify only the users who require these additional privileges. All users listed under passSyncManagerDNs can:
  • Perform password change operations without requiring a subsequent password reset
  • Bypass the password policy so that no strength or history enforcement is applied

22.1.3. Unlocking User Accounts After Password Failures

If a user attempts to log in using an incorrect password a certain number of times, IdM will lock the user account, which prevents the user from logging in. Note that IdM does not display any warning message that the user account has been locked.

Note

For information on setting the exact number of allowed failed attempts and the duration of the lockout, see Chapter 28, Defining Password Policies.
IdM automatically unlocks the user account after a specified amount of time has passed. Alternatively, the administrator can unlock the user account manually.

Unlocking a User Account Manually

To unlock a user account, use the ipa user-unlock command.
$ ipa user-unlock user
-----------------------
Unlocked account "user"
-----------------------
After this, the user is able to log in again.

22.1.3.1. Checking the Status of a User Account

To display the number of failed login attempts for a user, use the ipa user-status command. If the displayed number exceeds the number of allowed failed login attempts, the user account is locked.
$ ipa user-status user
-----------------------
Account disabled: False
-----------------------
  Server: example.com
  Failed logins: 8
  Last successful authentication: 20160229080309Z
  Last failed authentication: 20160229080317Z
  Time now: 2016-02-29T08:04:46Z
----------------------------
Number of entries returned 1
----------------------------