Implement the Redfish PasswordChangeRequired property

Joseph Reynolds jrey at
Tue Feb 18 08:09:26 AEDT 2020

This proposes implementing the Redfish [PasswordChangeRequired 
property][] and an underlying D-Bus PasswordExpired property.

These would be incremental changes to [OpenBMC user management][] and 
  - [phosphor-user-manager][]
  - [openbmc_project User D-Bus interfaces][]
  - [BMCWeb Redfish ManagerAccount REST APIs][]

[PasswordChangeRequired property]:
[OpenBMC user management]:
[openbmc_project User D-Bus interfaces]:
[BMCWeb Redfish ManagerAccount REST APIs]:

When this is merged, the PasswordChangeRequired property could be used 
as follows:
- The BMC admin can determine (via REST APIs) which local accounts have 
expired passwords.
- We can implement the [expired-password design][], which requires this 
property per the [expired-password code review][].
- We can add this field to the webui user-management page.

[expired-password design]:
[expired-password code review]:

Detailed design changes:

1. Add a new PasswordExpired property to the existing [D-Bus 
xyz.openbmc_project.User.Attributes interface][] to indicate if the 
password is expired.

[D-Bus xyz.openbmc_project.User.Attributes interface]:

2. Update [phosphor-user-manager][] to implement this property for local 
Reading can use something like the "chage --list" command.
I vote to make this property read-only, but if needed, writing a true 
value can invoke the "passwd --expire" command.

3. Implement the Redfish PasswordChangeRequired property in BMCWeb.
This would be read-only.
This affects existing Redfish ManagerAccount objects at URI 
This property would be present for local accounts and omitted for LDAP 

4. Update the [OpenBMC user management][] doc as needed.

- Joseph

More information about the openbmc mailing list