ipauser does not set the "change password on next logon" flag

freeipa / ansible-freeipa

Ansible roles and modules for FreeIPA

GNU General Public License v3.0

500 stars 232 forks source link

ipauser does not set the "change password on next logon" flag #745

Open itcultus opened 2 years ago

itcultus commented 2 years ago

I don't know if we have to consider this as a bug or an RFE.
However, when we create users, especially in bulk, I would expect to have their password to be reset in the next logon in order to be aligned with the established behavior of the GUI/CLI tools. Using the passwordexpiration option is not viable since it resets the password expiration date everytime a playbook/role is executed, so, if a user resets it's password then he will be forced to change it again. And if a password policy is in place (as it should be) then, most probably, users will not be able to reset it again before the "min-password-change" time elapse.

In any case, what I would like to see:

The passwordexpiration option should work in conjunction with the update_password directive
- If this is not possible, then we should have another option to force password reset on user's next logon

t-woerner commented 2 years ago

This is a result of using the server context that ansible-freeipa plugins are using by default. I opened a ticket for IPA https://pagure.io/freeipa/issue/9097 For now you can use the client context to have same behaviour ipaapi_context: client. But this will have an impact on the execution time of the task.

itcultus commented 2 years ago

Do I need to execute the code on a client, or the "client" context is honored even when I actually use a server to run it? (Interesting bug btw)

rjeffman commented 2 years ago

@itcultus if you add 'ipaapi_context: client' to the task it can be executed in a server. If you execute in a client host, it will set the context to 'client' by default (and you probably wouldn't notice this issue).

itcultus commented 2 years ago

@rjeffman I modify my roles now and I will report back for the rest that see this issue.

itcultus commented 2 years ago

Setting the context to client (ipaapi_context: client), worked as proposed by @rjeffman

maroskukan commented 2 years ago

@itcultus could you please elaborate more on your solution as I am having same challenge to force users to change their password on first login. I am not familiar with the usage of contexts.

Are you creating in similar way that is written below? vars:

user_names:
  - first: John
    last: Doe
  - first: James
    last: Doe

initial_user_pass: changeme

play:

     - name: Ensure that user is present.
        freeipa.ansible_freeipa.ipauser:
          ipaadmin_password: "{{ idm_pass }}"
          name: "{{ item.first[0] | lower }}{{ item.last | lower }}"
          first: "{{ item.first }}"
          last: "{{ item.last }}"
          password: "{{ initial_user_pass }}"
          update_password: on_create
          ipaapi_context: client
          state: present
        loop: "{{ user_names }}"

itcultus commented 2 years ago

Yes. Let me check with some examples.

maroskukan commented 2 years ago

@itcultus thanks for confirming, I have tried the above playbook and it works as expected.