[Freeipa-devel] [freeipa PR#621][opened] Add --force-password-reset to user_mod in user.py

Discussion:

[Freeipa-devel] [freeipa PR#621][opened] Add --force-password-reset to user_mod in user.py

redhatrises

2017-03-18 15:46:42 UTC

URL: https://github.com/freeipa/freeipa/pull/621
Author: redhatrises
Title: #621: Add --force-password-reset to user_mod in user.py
Action: opened

PR body:
"""
- Allows an admin to easily force a user to expire their password forcing them to change it.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/621/head:pr621
git checkout pr621

abbra

2017-03-18 17:08:54 UTC

URL: https://github.com/freeipa/freeipa/pull/621
Title: #621: Add --force-password-reset to user_mod in user.py

abbra commented:
"""
I would prefer this to be an option in `ipa passwd`, e.g. `ipa passwd --force-reset` which instead of modifying a user password would modify krbPasswordExpiration value.
"""

See the full comment at https://github.com/freeipa/freeipa/pull/621#issuecomment-287559962

redhatrises

2017-03-20 13:41:19 UTC

URL: https://github.com/freeipa/freeipa/pull/621
Title: #621: Add --force-password-reset to user_mod in user.py

redhatrises commented:
"""
@abbra why not have it in both `ipa user-mod` and `ipa passwd`?
"""

See the full comment at https://github.com/freeipa/freeipa/pull/621#issuecomment-287761849

abbra

2017-03-20 14:19:43 UTC

URL: https://github.com/freeipa/freeipa/pull/621
Title: #621: Add --force-password-reset to user_mod in user.py

abbra commented:
"""
Hm. `ipa user-mod` has --random and also supports specifying --password, so yes, both interfaces should be provided.
"""

See the full comment at https://github.com/freeipa/freeipa/pull/621#issuecomment-287772855

HonzaCholasta

2017-03-20 14:30:04 UTC

URL: https://github.com/freeipa/freeipa/pull/621
Title: #621: Add --force-password-reset to user_mod in user.py

HonzaCholasta commented:
"""
I don't agree. There should be one and only one obvious way to do it. There is no real benefit in having this in multiple different places, it just adds unnecessary complexity. Let's not repeat mistakes of the past and put this solely into `passwd`.
"""

See the full comment at https://github.com/freeipa/freeipa/pull/621#issuecomment-287776107

HonzaCholasta

2017-03-20 14:31:24 UTC

URL: https://github.com/freeipa/freeipa/pull/621
Title: #621: Add --force-password-reset to user_mod in user.py

HonzaCholasta commented:
"""
I don't agree. There should be one and only one obvious way to do it. There is no real benefit in having this in multiple different places, it just adds unnecessary complexity. Let's not repeat mistakes of the past and put this solely into `passwd`.
"""

See the full comment at https://github.com/freeipa/freeipa/pull/621#issuecomment-287776107

HonzaCholasta

2017-03-20 14:46:02 UTC

URL: https://github.com/freeipa/freeipa/pull/621
Title: #621: Add --force-password-reset to user_mod in user.py

HonzaCholasta commented:
"""
Actually, maybe `user-mod` is a better place for the option, as it does LDAP modify operation, whereas `passwd` does LDAP password change extended operation.
"""

See the full comment at https://github.com/freeipa/freeipa/pull/621#issuecomment-287781294

redhatrises

2017-03-20 16:04:58 UTC

URL: https://github.com/freeipa/freeipa/pull/621
Title: #621: Add --force-password-reset to user_mod in user.py

redhatrises commented:
"""
Okay, so since it will reside in one location, should it be `user-mod` (PR already uses `user-mod`) or `passwd`?
"""

See the full comment at https://github.com/freeipa/freeipa/pull/621#issuecomment-287807607

abbra

2017-03-20 16:39:54 UTC

URL: https://github.com/freeipa/freeipa/pull/621
Title: #621: Add --force-password-reset to user_mod in user.py

abbra commented:
"""
Ok, let's go with `user-mod` as original request goes, based on the fact that we are not changing the password, we are changing its properties.

LGTM.
"""

See the full comment at https://github.com/freeipa/freeipa/pull/621#issuecomment-287819233

HonzaCholasta

2017-03-21 06:59:33 UTC

URL: https://github.com/freeipa/freeipa/pull/621
Title: #621: Add --force-password-reset to user_mod in user.py

HonzaCholasta commented:
"""
I have given this some thought over the night - maybe we should make the option more generic and allow the user to specify the expiration time rather than special case it for "now" time, i.e. `--password-expiration=2017-03-21T07:58:05Z` to expire the password at a specific time, `--password-expiration=now` to expire the password now, just like `--force-password-reset` does.
"""

See the full comment at https://github.com/freeipa/freeipa/pull/621#issuecomment-287992866

redhatrises

2017-03-21 12:30:08 UTC

URL: https://github.com/freeipa/freeipa/pull/621
Title: #621: Add --force-password-reset to user_mod in user.py

redhatrises commented:
"""
@HonzaCholasta that's an interesting idea. Most of the time, a password reset is forced immediately, but that does provide more flexibility. I assume that the datetime input should match the `2017-03-21T07:58:05Z` format?
"""

See the full comment at https://github.com/freeipa/freeipa/pull/621#issuecomment-288063972

HonzaCholasta

2017-03-21 14:46:12 UTC

URL: https://github.com/freeipa/freeipa/pull/621
Title: #621: Add --force-password-reset to user_mod in user.py

HonzaCholasta commented:
"""
@redhatrises, do not handle the format yourself, use the `DateTime` param type. Note that you will need to extend it to correctly interpret the "now" value.
"""

See the full comment at https://github.com/freeipa/freeipa/pull/621#issuecomment-288101283

redhatrises

2017-03-29 03:54:42 UTC

URL: https://github.com/freeipa/freeipa/pull/621
Author: redhatrises
Title: #621: Add --force-password-reset to user_mod in user.py
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/621/head:pr621
git checkout pr621

redhatrises

2017-03-29 13:12:17 UTC

URL: https://github.com/freeipa/freeipa/pull/621
Author: redhatrises
Title: #621: Add --force-password-reset to user_mod in user.py
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/621/head:pr621
git checkout pr621

redhatrises

2017-03-29 13:15:28 UTC

URL: https://github.com/freeipa/freeipa/pull/621
Author: redhatrises
Title: #621: Add --password-expiration to allow an admin to force a password change
Action: edited

Changed field: title
Original value:
"""
Add --force-password-reset to user_mod in user.py
"""

redhatrises

2017-03-29 13:19:01 UTC

URL: https://github.com/freeipa/freeipa/pull/621
Title: #621: Add --password-expiration to allow an admin to force a password change

redhatrises commented:
"""
@HonzaCholasta used `datetime.utcnow()` as I couldn't find a reference for `datetime.utctime()`
"""

See the full comment at https://github.com/freeipa/freeipa/pull/621#issuecomment-290086917

HonzaCholasta

2017-03-29 13:22:33 UTC

URL: https://github.com/freeipa/freeipa/pull/621
Title: #621: Add --password-expiration to allow an admin to force a password change

HonzaCholasta commented:
"""
@redhatrises, `datetime.utcnow()` is what I meant.
"""

See the full comment at https://github.com/freeipa/freeipa/pull/621#issuecomment-290087879

redhatrises

2017-03-29 13:28:07 UTC

URL: https://github.com/freeipa/freeipa/pull/621
Title: #621: Add --password-expiration to allow an admin to force a password change

redhatrises commented:
"""

@redhatrises, datetime.utcnow() is what I meant.

Oh good. Ready for your review.
"""

See the full comment at https://github.com/freeipa/freeipa/pull/621#issuecomment-290089437

HonzaCholasta

2017-03-29 14:48:54 UTC

URL: https://github.com/freeipa/freeipa/pull/621
Title: #621: Add --password-expiration to allow an admin to force a password change

HonzaCholasta commented:
"""
The `admin` user is not allowed to write to the attribute:
```
$ kinit admin
Password for ***@ABC.IDM.LAB.ENG.BRQ.REDHAT.COM:
$ ipa user-mod jcholast --password-expiration=now
ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'krbPasswordExpiration' attribute of entry 'uid=jcholast,cn=users,cn=accounts,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com'.
```
Please update the "Admin can manage any entry" ACI in `install/updates/20-aci.update`.
"""

See the full comment at https://github.com/freeipa/freeipa/pull/621#issuecomment-290114123

redhatrises

2017-03-29 15:13:04 UTC

URL: https://github.com/freeipa/freeipa/pull/621
Author: redhatrises
Title: #621: Add --password-expiration to allow an admin to force a password change
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/621/head:pr621
git checkout pr621

redhatrises

2017-03-29 15:14:53 UTC

URL: https://github.com/freeipa/freeipa/pull/621
Title: #621: Add --password-expiration to allow an admin to force a password change

redhatrises commented:
"""
@HonzaCholasta updated "Admins can write passwords" ACI to contain 'krbPasswordExpiration' as the "Admin can manage any entry" ACI already had 'krbPasswordExpiration' added.
"""

See the full comment at https://github.com/freeipa/freeipa/pull/621#issuecomment-290122377

redhatrises

2017-03-30 02:35:32 UTC

URL: https://github.com/freeipa/freeipa/pull/621
Author: redhatrises
Title: #621: Add --password-expiration to allow an admin to force a password change
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/621/head:pr621
git checkout pr621

HonzaCholasta

2017-03-30 08:58:21 UTC

URL: https://github.com/freeipa/freeipa/pull/621
Title: #621: Add --password-expiration to allow an admin to force a password change

HonzaCholasta commented:
"""
@redhatrises, the "Admin can manage any entry" ACI in fact contains a blacklist of attributes which admins aren't allowed to write. To actually fix the issue you must also remove `krbPasswordExpiration` from the "Admin can manage any entry" ACI.
"""

See the full comment at https://github.com/freeipa/freeipa/pull/621#issuecomment-290347117

redhatrises

2017-03-31 00:24:13 UTC

URL: https://github.com/freeipa/freeipa/pull/621
Title: #621: Add --password-expiration to allow an admin to force a password change

redhatrises commented:
"""
@HonzaCholasta I also removed `krbPasswordExpiration` from the "Admin can manage any entry" ACI.
"""

See the full comment at https://github.com/freeipa/freeipa/pull/621#issuecomment-290581916

redhatrises

2017-03-31 00:22:23 UTC

URL: https://github.com/freeipa/freeipa/pull/621
Author: redhatrises
Title: #621: Add --password-expiration to allow an admin to force a password change
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/621/head:pr621
git checkout pr621

HonzaCholasta

2017-03-31 07:11:19 UTC

URL: https://github.com/freeipa/freeipa/pull/621
Title: #621: Add --password-expiration to allow an admin to force a password change

HonzaCholasta commented:
"""
Works for me. Thanks!
"""

See the full comment at https://github.com/freeipa/freeipa/pull/621#issuecomment-290635083

HonzaCholasta

2017-03-31 07:12:06 UTC

URL: https://github.com/freeipa/freeipa/pull/621
Title: #621: Add --password-expiration to allow an admin to force a password change

Label: +ack

MartinBasti

2017-03-31 10:20:02 UTC

URL: https://github.com/freeipa/freeipa/pull/621
Title: #621: Add --password-expiration to allow an admin to force a password change

Label: +pushed

MartinBasti

2017-03-31 10:20:10 UTC

URL: https://github.com/freeipa/freeipa/pull/621
Title: #621: Add --password-expiration to allow an admin to force a password change

MartinBasti commented:
"""
master:

* 274b0bcf5ff2408739d94ba1b1b4bca69f310dfc Add --password-expiration to allow admin to force user password expiration

"""

See the full comment at https://github.com/freeipa/freeipa/pull/621#issuecomment-290675831

MartinBasti

2017-03-31 10:20:13 UTC

URL: https://github.com/freeipa/freeipa/pull/621
Author: redhatrises
Title: #621: Add --password-expiration to allow an admin to force a password change
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/621/head:pr621
git checkout pr621

29 Replies
1 View
Permalink to this page
Disable enhanced parsing

Thread Navigation

redhatrises 2017-03-18 15:46:42 UTC

abbra 2017-03-18 17:08:54 UTC

redhatrises 2017-03-20 13:41:19 UTC

abbra 2017-03-20 14:19:43 UTC

HonzaCholasta 2017-03-20 14:30:04 UTC

HonzaCholasta 2017-03-20 14:31:24 UTC

HonzaCholasta 2017-03-20 14:46:02 UTC

redhatrises 2017-03-20 16:04:58 UTC

abbra 2017-03-20 16:39:54 UTC

HonzaCholasta 2017-03-21 06:59:33 UTC

redhatrises 2017-03-21 12:30:08 UTC

HonzaCholasta 2017-03-21 14:46:12 UTC

redhatrises 2017-03-29 03:54:42 UTC

redhatrises 2017-03-29 13:12:17 UTC

redhatrises 2017-03-29 13:15:28 UTC

redhatrises 2017-03-29 13:19:01 UTC

HonzaCholasta 2017-03-29 13:22:33 UTC

redhatrises 2017-03-29 13:28:07 UTC

HonzaCholasta 2017-03-29 14:48:54 UTC

redhatrises 2017-03-29 15:13:04 UTC

redhatrises 2017-03-29 15:14:53 UTC

redhatrises 2017-03-30 02:35:32 UTC

HonzaCholasta 2017-03-30 08:58:21 UTC

redhatrises 2017-03-31 00:24:13 UTC

redhatrises 2017-03-31 00:22:23 UTC

HonzaCholasta 2017-03-31 07:11:19 UTC

HonzaCholasta 2017-03-31 07:12:06 UTC

MartinBasti 2017-03-31 10:20:02 UTC

MartinBasti 2017-03-31 10:20:10 UTC

MartinBasti 2017-03-31 10:20:13 UTC

about - legalese

Loading...