Sorry, forgot to copy everyone else in. Dan
---------- Forwarded message ---------- From: Dan Scott <danieljamessc...@gmail.com> Date: Fri, Oct 30, 2009 at 18:15 Subject: Re: [Freeipa-users] Library to change expired password To: Rob Crittenden <rcrit...@redhat.com> Hi, On Fri, Oct 30, 2009 at 17:42, Rob Crittenden <rcrit...@redhat.com> wrote: > Dan Scott wrote: >>> >>> This may not be too difficult to do in a web form (SSL protected, of >>> course). You should be able to create a non-kerberos auth page that >>> prompts >>> for username, old and new password and a submit button. You could pass >>> this >>> onto a a simple backend that does an LDAP bind as the user with the old >>> password then use ldap_passwd() to set the new password. >> >> Thanks. Do you have a particular language in mind for the >> ldap_passwd() command? This sounds like a good way to go about it. >> I've been looking at the ldappasswd command to figure out the correct >> arguments, but this seems to require an SSL connection (Which is not >> currently configured on my ipa server). This is strange, as ipa-passwd >> and/or kpasswd don't appear to require SSL (maybe I'm wrong about >> this). Anyway, is there a way to do this without using SSL? > > I'll respond in reverse. > > I don't believe the LDAP server will accept password changes over an > unencrypted channel, so you either need to bind using GSSAPI or use SSL. > > We use forwarded tickets in XML-RPC so our LDAP connections don't use SSL, > we do a GSSAPI bind which brings its own encryption. You will have to do a > simple bind since you'll just have a username/password. OK, that makes sense, thanks. But there's still one thing I don't really understand. How do the ipa tools obtain a ticket for the RPC when the password has expired? This is the fundamental problem that I have. I can't obtain a ticket because the password has expired and I can't change the password because I don't have a ticket! :) > You can do it in whatever language you feel most comfortable with. You can > write it as a CGI using perl, use mod_python, PHP, etc. All of these have > some amount of LDAP support. OK, thanks. The reason I'm asking is because I've looked through most/all of these technologies and I can't find much/anything related to changing expired passwords. Admittedly, when I was looking for this, I was attempting to use Kerberos, not LDAP. But the problem appears the same for LDAP password changing support. Python seems to be the exception where there is a good kerberos library (and I have played around with this, but my Python knowledge is very poor.:) ). There doesn't appear to be a php-kerberos library (Well, there is one for kadm, but not MIT kerberos). Java has Kerberos support for the Login protocol via JAAS, but no support for changing passwords. There's no java LDAP change password functionality, only direct directory manipulation. I'm not sure whether I'm trying to do something wrong, but it doesn't seem like anyone else has had this problem before me. It seems very strange that none of these technologies have good password change support. Am I going about this the wrong way? :) >> I might be making this all far too complicated. I have considered >> using JNI to wrap a c kerberos library. Does this sound like a >> reasonable idea? > > I'm pretty sure Java supports kerberos natively. It can also speak LDAP > natively. Sure, it does, primarily for login functionality. But support for password changes does not appear to exist without client side hashing and direct directory manipulation. Thanks for your responses, they're very useful. Dan _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
