ansible-freeipa icon indicating copy to clipboard operation
ansible-freeipa copied to clipboard

Published 20 hours ago verified publisher icon freeipa

ipauser does not set the "change password on next logon" flag

Open itcultus opened this issue 3 years ago • 8 comments

I don't know if we have to consider this as a bug or an RFE.
However, when we create users, especially in bulk, I would expect to have their password to be reset in the next logon in order to be aligned with the established behavior of the GUI/CLI tools. Using the passwordexpiration option is not viable since it resets the password expiration date everytime a playbook/role is executed, so, if a user resets it's password then he will be forced to change it again. And if a password policy is in place (as it should be) then, most probably, users will not be able to reset it again before the "min-password-change" time elapse.

In any case, what I would like to see:

  • The passwordexpiration option should work in conjunction with the update_password directive
    • If this is not possible, then we should have another option to force password reset on user's next logon

itcultus avatar Jan 24 '22 14:01 itcultus

This is a result of using the server context that ansible-freeipa plugins are using by default. I opened a ticket for IPA https://pagure.io/freeipa/issue/9097 For now you can use the client context to have same behaviour ipaapi_context: client. But this will have an impact on the execution time of the task.

t-woerner avatar Jan 26 '22 13:01 t-woerner

Do I need to execute the code on a client, or the "client" context is honored even when I actually use a server to run it? (Interesting bug btw)

itcultus avatar Jan 26 '22 13:01 itcultus

@itcultus if you add 'ipaapi_context: client' to the task it can be executed in a server. If you execute in a client host, it will set the context to 'client' by default (and you probably wouldn't notice this issue).

rjeffman avatar Jan 26 '22 13:01 rjeffman

@rjeffman I modify my roles now and I will report back for the rest that see this issue.

itcultus avatar Jan 26 '22 13:01 itcultus

Setting the context to client (ipaapi_context: client), worked as proposed by @rjeffman

itcultus avatar Jan 27 '22 14:01 itcultus

@itcultus could you please elaborate more on your solution as I am having same challenge to force users to change their password on first login. I am not familiar with the usage of contexts.

Are you creating in similar way that is written below? vars:

user_names:
  - first: John
    last: Doe
  - first: James
    last: Doe

initial_user_pass: changeme

play:

     - name: Ensure that user is present.
        freeipa.ansible_freeipa.ipauser:
          ipaadmin_password: "{{ idm_pass }}"
          name: "{{ item.first[0] | lower }}{{ item.last | lower }}"
          first: "{{ item.first }}"
          last: "{{ item.last }}"
          password: "{{ initial_user_pass }}"
          update_password: on_create
          ipaapi_context: client
          state: present
        loop: "{{ user_names }}"

maroskukan avatar Mar 09 '22 16:03 maroskukan

Yes. Let me check with some examples.

itcultus avatar Mar 09 '22 17:03 itcultus

@itcultus thanks for confirming, I have tried the above playbook and it works as expected.

maroskukan avatar Mar 16 '22 14:03 maroskukan