Password is expired just after user is added to FreeIPA?

Question

I have set up a FreeIPA server. I am facing an issue which is password is expired when a user is first created. So a new user should always set his password when he logs in for the first time which is defined in here. but I don't want this feature.

I am using this library to create or add user in FreeIPA.

So, I connect with FreeIPA like this-

private function getIPA()
{
    $host = env('FREEIPA_HOST', 'cloud-host-ipa.com');
    $certificate = database_path(env('FREEIPA_CERTIFICATE', 'ca.crt'));
    try {
        return new \FreeIPA\APIAccess\Main($host, $certificate);
    } catch (Exception $e) {
        throw new \ErrorException("Error {$e->getCode()}: {$e->getMessage()}");
        return false;
    }
}

private function getIPAConnection() //Ged authinticated admin IPA connection
{
    $ipa = $this->getIPA();

    try {
        $auth = $ipa->connection()->authenticate(env('FREEIPA_ADMIN_NAME', 'oc-ipa-connector'), env('FREEIPA_ADMIN_PASS', 'ADMIN_PASS'));
        if ($auth) {
            return $ipa;
        } else {
            $auth_info = $ipa->connection()->getAuthenticationInfo();
            $auth_info = implode(' ', $auth_info);
            throw new \ErrorException("\nLogin Failed : {$auth_info}");
            //return false;
        }
    } catch (Exception $e) {
        throw new \ErrorException("\nError {$e->getCode()}: {$e->getMessage()}");
        //return false;
    }
}

Then add a user like this-

$ipa = $this->getIPAConnection();
try {
    $new_user_data = array(
        'givenname' =>  $givenname,
        'sn'        =>  $sn,
        'uid'       =>  $uid,
        //'userpassword' => $_POST["userpassword"],
        'mail'      =>  $mail,
        'mobile'    =>  $phone
    );

    $add_user = $ipa->user()->add($new_user_data);
    if ($add_user) {
        return true;
    }
} catch (Exception $e) {
    throw new \ErrorException("Error {$e->getCode()}: {$e->getMessage()}");
    return false;
}

This code works fine and user is added.

Then I am setting password with this code-

$ipa = $this->getIPAConnection();

try {
    $user_info = $ipa->user()->get($uid);

    if($user_info != false)
    {
        try {
            $new_user_data = array(
                'userpassword' => $password,
            );

            $mod_user = $ipa->user()->modify($uid, $new_user_data);

            if ($mod_user) {
                return true;
            }
            else
            {
                return false;
            }
        } catch (Exception $e) {
            throw new \ErrorException("Error {$e->getCode()}: {$e->getMessage()}");
        }
    }
} catch (Exception $e) {
    throw new \ErrorException("Error {$e->getCode()}: {$e->getMessage()}");
}

Password is also set perfectly. But the set password is expired automatically just after it is set.

I want my users to have this password for at least 1 week. So, I want to disable this feature. Is there any practical way?

Re-

I have created this issue in FreeIPA to provide us with a workaround, but the issue is closed and marked as - Closed: wontfix . So, I wonder if there exists a workaround?

Answer 1

The answer was provided in the link https://www.redhat.com/archives/freeipa-users/2012-June/msg00360.html.

There is a global policy for passwords that you can see from the command below:

[server]$ ipa pwpolicy-show Group: global_policy Max lifetime (days): 90 Min lifetime (hours): 1 History size: 0 Character classes: 0 Min length: 8 Max failures: 6 Failure reset interval: 60 Lockout duration: 600

You can create a new policy override for the group to which you are adding the user by running the command:

[server]$ ipa pwpolicy-add sysadmin --minlife=0 Priority: 50 Group: sysadmin Min lifetime (hours): 0 Priority: 50

Now this policy overrides the global password policy and creates a policy just for the group.

If you want to modify the global policy, you can do the same with the command: [server]$ ipa pwpolicy-mod global_policy --minlife=0 Group: global_policy Max lifetime (days): 90 Min lifetime (hours): 0 History size: 0 Character classes: 0 Min length: 8 Max failures: 6 Failure reset interval: 60 Lockout duration: 600

Note the change in Min lifetime(hours) to 0 which causes password to never expire.

After you create the user you need to run this code from a script in the server:

echo -e $PASSWORD\n$PASSWORD\n$PASSWORD | kinit $username kdestroy

Note that you need to send PASSWORD and username as parameters to the script and execute this script remotely.

Answer 2

See https://www.freeipa.org/page/New_Passwords_Expired - basically FreeIPA have a policy that admin-set passwords are immediately expired. I believe the "password lifetime" then only applies once the user has themselves changed their password.