On Wed, 2012-06-06 at 14:34 +0200, Willem Bos wrote: > Hi Alexander, > > > I did some experimenting with the example at > http://adam.younglogic.com/2010/07/talking-to-freeipa-json-web-api-via-curl/ > and am now able to create a user using the following as input to curl (-d > @user_add.json) : > > > { > "method":"user_add", > "params":[ > [], > { > "uid":"test", > "givenname":"test", > "sn":"test", > "userpassword":"test" > } > ] > } > > > I'm left with two questions : > - Is it possible to use a hashed password (as stored in the 'meta-IM') > as a value for userpassword? And if so, will this propagate to the > created Kerberos principal?
Nope, we need the clear text in order to generate the krb5 keys. > - After creation, I'm forced to change the password when running > `kinit test`. Is it possible to reset prevent the forced password > change? Yes, see: http://www.freeipa.org/page/PasswordSynchronization > As a test, I tried to set the '-needchange' attribute using kadmin but > that returned "... Insufficient access while modifying..." This is not controlled by kadmin. > > I grepped the mailing list archives / API.txt / source code / etc. for > clues but without success... See above, it is really easy to create an agent with the right permissions. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users