FreeIPA – Allow Admins to Change Passwords Without Requiring Next Login Change

Problem:

The client wanted to allow admins to reset user passwords without forcing the next login change.

Process:

The expert confirmed that FreeIPA didn’t respect the set attribute with –setattr=krbPasswordExpiration from the command line. It changed the password but the expiry date automatically adjusted to the value from global_policy `ipa pwpolicy-show`.

The expert tried to create a custom FreeIPA user password policy, with customized default values for min and expiry, but it still conflicted with the default values.

The expert tried the next commands: echo P@ssw0rd | ipa user-mod testuser1 –setattr=krbPasswordExpiration=20301231011529Z – password didn’t change and the password expired after the change.

Solution:

The expert suggested 2 ways to solve the issue:

1) Adjusting global password policy:

ipa pwpolicy-mod global_policy –minlife 1095 –maxlife 3650

2) Changing the password, then adjusting password expiration

The expert created a bash script that helps with password reset while changing the expiry date for the user. The script:

#!/bin/bash
# Function to display help message
display_help() {
    echo
    echo "Usage: $0   "
    echo "   where:"
    echo "     username: Username of the user"
    echo "     password: Password of the user"
    echo "     expiry_date: Expiration date in format YYYYMMDDHHMMSSZ"
    echo ""
    echo "Example: $0 jmutai P@ssw0rd 20341231011529Z"
    exit 1
}

# Check if there are no arguments or the --help option is provided
if [ $# -eq 0 ] || [ "$1" == "--help" ]; then
    display_help
fi

# Check if a username is provided as an argument
if [ -z "$1" ]; then
  # If not provided, prompt the user to enter the username
  read -p "Please enter the username: " username
else
  # If provided, use the provided argument as the username
  username=$1
fi

# Check if a password is provided as an argument
if [ -z "$2" ]; then
  # If not provided, prompt the user to enter the password
  read -p "Please enter the password: " userpassword
else
  # If provided, use the provided argument as the password
  userpassword=$2
fi

# Check if an expiration date is provided as an argument
if [ -z "$3" ]; then
  # If not provided, prompt the user to enter the expiration date
  read -p "Please enter the expiration date (format: YYYYMMDDHHMMSSZ): " expiration
else
  # If provided, use the provided argument as the expiration date
  expiration=$3
fi

# Check if passwords match
#if [[ "$userpass1" != "$userpass2" ]]; then
#  echo "Passwords do not match. Exiting..."
#  exit 1
#fi

# Set user password
echo "Setting password..."
echo $userpassword | ipa user-mod $username --password

# Set krbPasswordExpiration
echo
echo "Setting password expiry to long time..."
ipa user-mod $username --setattr=krbPasswordExpiration=$expiration

In the script there were three arguments passed:

Default variables can be set once in the script such as expiry date or optionally user password.

If the customer intended that all user accounts in FreeIPA respect the global password max age “Max lifetime (days),” a workaround could have been used to avoid setting a predetermined date for expiry. They could have obtained the max lifetime from the FreeIPA Server and formatted the date, subtracting X number of days if needed. Assuming the max lifetime was set to 3650 days, they could have set the default user password expiry after change to this period. Alternatively, they could have set it much earlier, for example, a few days before the max date.

The expert also suggested the next bash script code that can be incorporated into the main script so that initial user password expiry can be set to date from ‘Max lifetime (days)’, and this can be a higher value e.g 3650 days ‘ipa pwpolicy-mod global_policy –minlife 1 –maxlife 3650’.

#!/bin/bash
# Extract the ‘Max lifetime (days)’ value using grep and awk
max_lifetime=$(ipa pwpolicy-show|grep "Max lifetime (days)" | awk '{print $NF}')

# Adjust the max_lifetime value by subtracting 10
adjusted_max_lifetime=$((max_lifetime - 10))

# Adjust the max_lifetime value by subtracting 10
adjusted_max_lifetime=$((max_lifetime - 10))

# Use Python to calculate the new date and format it
formatted_date=$(python3 - END
import datetime

# Get the adjusted_max_lifetime from the shell variable
adjusted_max_lifetime = int("$adjusted_max_lifetime")

# Current date
current_date = datetime.datetime.utcnow()

# Add adjusted_max_lifetime days
new_date = current_date + datetime.timedelta(days=adjusted_max_lifetime)

# Format the new date as YYYYMMDDHHMMSSZ
formatted_date = new_date.strftime('%Y%m%d%H%M%SZ')

# Print the formatted date
print(formatted_date)
END
)

# Print the result
echo "Formatted date: $formatted_date"

Conclusion:

The client required a method for admins to reset user passwords without forcing a change at the next login. The expert confirmed that FreeIPA did not respect the ‘–setattr=krbPasswordExpiration’ attribute from the command line and attempted to create a custom password policy, but it conflicted with default values. To solve the issue, the expert proposed adjusting the global password policy or using a bash script to reset passwords while changing the expiry date. The script allowed the setting of the password and expiration date, providing a practical solution to meet the client’s requirements.