kadmin -k -t $KEYTABLOCATION -p $SERVICEPRINCIPAL -q "cpw $PRINCIPAL -pw $PASSWORD"
What we found is that this command ignores the password policy assigned to the principal, including all the complexity rules and history options. No matter if the command is launched in a kadmin console interactive mode, policies are totally ignored.
If we use:
kpasswd $PRINCIPAL
kadmin -k -t $KEYTABLOCATION -p $SERVICEPRINCIPAL -q "cpw $PRINCIPAL -pw $PASSWORD"
What we found is that this command ignores the password policy assigned to the principal, including all the complexity rules and history options. No matter if the command is launched in a kadmin console interactive mode, policies are totally ignored.
If we use:
kpasswd $PRINCIPAL
I can change all the time the password of the principal with that policy applied despite the minimum password life described.
Also I'm able to apply old passwords and the history is not being respected, but I'm afraid that's the expected behavior because of the LDAP database module.
I understand that cpw is more like the administration password changing tool and in order to be able to change the password whenever it requires by the system administrator, the minimum password life is not being applied.
But then, Any ideas about how could we proceed?
That's true. The kadmin server code deliberately only checks the minimum life if a principal is changing its own password.
Right, LDAP password history is implemented in release 1.15 but not in 1.12.
I guess you could print a kadmin ticket for the user from the KDB and then authenticate with it:
kinit -k -c somefilename -t KDB: -S kadmin/admin username kadmin -c somefilename -q "cpw -pw password username"
kinit -t KDB: support was added in release 1.9, so should be available.
I can change all the time the password of the principal with that policy applied despite the minimum password life described.
Also I'm able to apply old passwords and the history is not being respected, but I'm afraid that's the expected behavior because of the LDAP database module.
I understand that cpw is more like the administration password changing tool and in order to be able to change the password whenever it requires by the system administrator, the minimum password life is not being applied.
But then, Any ideas about how could we proceed?
That's true. The kadmin server code deliberately only checks the minimum life if a principal is changing its own password.
Right, LDAP password history is implemented in release 1.15 but not in 1.12.
I guess you could print a kadmin ticket for the user from the KDB and then authenticate with it:
kinit -k -c somefilename -t KDB: -S kadmin/admin username
kadmin -c somefilename -q "cpw -pw password username"
kinit -t KDB: support was added in release 1.9, so should be available.
I can change all the time the password of the principal with that policy applied despite the minimum password life described.
Also I'm able to apply old passwords and the history is not being respected, but I'm afraid that's the expected behavior because of the LDAP database module.
I understand that cpw is more like the administration password changing tool and in order to be able to change the password whenever it requires by the system administrator, the minimum password life is not being applied.
But then, Any ideas about how could we proceed?
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 296 |
Nodes: | 16 (2 / 14) |
Uptime: | 62:12:35 |
Calls: | 6,654 |
Files: | 12,200 |
Messages: | 5,331,623 |