On Thu, Oct 29, 2009 at 10:54:01PM -0600, Jason Gerard DeRose wrote: > On Thu, 2009-10-29 at 17:56 -0400, Dan Scott wrote: > > Hi, > > > > I'm trying to integrate FreeIPA with a Java webapp using JAAS. I have > > the login module configured properly and it is working fine. > > > > However, I have a problem with the initial user setup. New accounts > > are created with expired passwords for good reason. However, I would > > like a way to for a user to change their expired kerberos password > > which does not use the command line. e.g. an SSL web form. > > > > On searching the web, there does not appear to be a (free) java > > library which implements the same functionality as ipa-passwd, kinit > > or ssh for changing expired passwords. Does anyone know if such a > > thing exists? The IPA documentation indicates that ssh has an option > > 'challenge-response' for changing expired passwords. I would like the > > same functionality on a web page. > > Yes, you raise a good point and we obviously need a way to do this via > the web UI. > > Rob, if a user's password is expired, how does the password change work? > Does the user still do a Kerberos auth with the old password, or do we > need a non-Kerberos protected web page through which to update the > password? > > Either way, this will be a simple thing to add to the UI. >
If the password is expired you get KRB5KDC_ERR_KEY_EXP when requesting a TGT. Please note that you will always get this response not matter if the password matches the old password or not. You can then request a password change ticket, principle: kadmin/changepw, with tho old password and run the password change with this ticket. I would expect that you cannot use a kerberos protected page, because you do not have a TGT and cannot request a service ticket for the web server. bye, Sumit _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users