27.07.2024 Problem:
FreeIPA prompts regular users to change their passwords immediately after an admin resets them, which is undesired for certain admin-managed accounts like ‘admpass’.
Process:
The expert first reviewed the client’s IPA password policy and proposed using the krbPasswordExpiration attribute to control password expiration. However, attempts to set this attribute during user modification did not yield the expected results due to FreeIPA’s default behavior of marking reset passwords as expired.
Solution:
Policy Adjustment: The expert suggested modifying the IPA policy to accommodate exceptions for admin-reset passwords. They discussed using scripts to revert passwords back to non-expiring states post-reset, given the inherent behavior of FreeIPA to mark newly set passwords as expired.
Scripting Solution: Proposed creating a script that resets passwords to previous non-expiring states after an admin reset. This script would ensure that passwords set by admin (‘admpass’) remain non-expiring unless explicitly changed.
Conclusion:
Despite initial attempts to use krbPasswordExpiration directly during user modification, the inherent behavior of FreeIPA necessitates a workaround via scripting. The solution involves implementing a script to manage password expiration states post-admin reset, ensuring continuity in password management policies while adhering to FreeIPA’s constraints.