Re: Fwd: [Freeipa-users] Library to change expired password
On Tue, 2009-11-03 at 16:31 -0500, Dan Scott wrote: > Sorry again, forgot to CC the mailing list. > > Dan > > On Tue, Nov 3, 2009 at 16:10, Dan Scott wrote: > > Hi, > > > > On Mon, Nov 2, 2009 at 07:33, Simo Sorce wrote: > >> On Sun, 2009-11-01 at 22:26 -0500, Dan Scott wrote: > >>> On Sat, Oct 31, 2009 at 12:50, Simo Sorce wrote: > >>> > On Fri, 2009-10-30 at 18:16 -0400, Dan Scott wrote: > >>> >> OK, that makes sense, thanks. But there's still one thing I don't > >>> >> really understand. How do the ipa tools obtain a ticket for the RPC > >>> >> when the password has expired? > >>> > > >>> > They don't, password change is done via kpasswd (or direct connection to > >>> > ldap and ldappasswd operation). > >>> > >>> So kpasswd can alter the LDAP directory without a ticket? > >> > >> kpasswd can take a ticket for kadmin/chang...@realm > > > > So is that a 'special' ticket, which can be obtained with an expired > > password? Which can then be used to change the user's password? Pretty much. > >>> Let me check to see if I've got this straight. There are no IPA > >>> specific tools for changing an expired password? > >> > >> Admin can always reset other users passwords, but they will be expired. > > > > Well sure, :) but changing a users expired password for another > > expired password doesn't really help. I meant more along the lines > > that there are no IPA specific tools which allow a non-admin user to > > change their own expired password. Yes the tool is called "kpasswd" :) Or if you have properly configured (and it should if you use ipa-client-install) you should also be able to use the normal "passwd" command and perform the password change through the pam password stack. > >>> The only way that I can see at the moment is to 'manually' alter the > >>> LDAP directory. i.e. Hash the password myself and insert it into the > >>> database. Could someone point me in the right direction for the cn and > >>> hashing algorithm I need to use? > >> > >> No prehashed password are refused, we need the clear text password to be > >> able to create the kerberos keys. > >> The best way is to use the ldappasswd extended operation, although > >> probably writing the clear text password to userPassword should also > >> work. > > > > OK, thanks. I've located a Java library which implements the correct > > LDAP extended operations. I can change a non-expired password with no > > problem, but I still can't change an expired password. I am using: > > > > http://www.unboundid.com/products/ldapsdk/ > > > > and I am attempting to bind to the LDAP directory using SimpleBindRequest > > > > http://www.unboundid.com/products/ldapsdk/docs/javadoc/com/unboundid/ldap/sdk/SimpleBindRequest.html > > > > This works fine for changing currently valid passwords, but I receive > > "LDAPException :invalid credentials" when attempting to bind using an > > expired password. Do I need to use a different bind type? There are > > several available: ANONYMOUSBindRequest, CRAMMD5BindRequest, > > DIGESTMD5BindRequest, EXTERNALBindRequest, GSSAPIBindRequest, > > PLAINBindRequest, SASLBindRequest. I assume that anonymous won't work. > > Maybe I need to request the kadmin/changepw ticket requested above > > using Kerberos and use this to bind to LDAP? > > > > Is there any documentation related to all this? Anything would be > > great but if there's anything related to the way it works in FreeIPA > > that would be even better. I've been searching high and low and I'm > > not really having much luck. > > What have you used so far ? Simple auth ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: Fwd: [Freeipa-users] Library to change expired password
Sorry again, forgot to CC the mailing list. Dan On Tue, Nov 3, 2009 at 16:10, Dan Scott wrote: > Hi, > > On Mon, Nov 2, 2009 at 07:33, Simo Sorce wrote: >> On Sun, 2009-11-01 at 22:26 -0500, Dan Scott wrote: >>> On Sat, Oct 31, 2009 at 12:50, Simo Sorce wrote: >>> > On Fri, 2009-10-30 at 18:16 -0400, Dan Scott wrote: >>> >> OK, that makes sense, thanks. But there's still one thing I don't >>> >> really understand. How do the ipa tools obtain a ticket for the RPC >>> >> when the password has expired? >>> > >>> > They don't, password change is done via kpasswd (or direct connection to >>> > ldap and ldappasswd operation). >>> >>> So kpasswd can alter the LDAP directory without a ticket? >> >> kpasswd can take a ticket for kadmin/chang...@realm > > So is that a 'special' ticket, which can be obtained with an expired > password? Which can then be used to change the user's password? > >>> Let me check to see if I've got this straight. There are no IPA >>> specific tools for changing an expired password? >> >> Admin can always reset other users passwords, but they will be expired. > > Well sure, :) but changing a users expired password for another > expired password doesn't really help. I meant more along the lines > that there are no IPA specific tools which allow a non-admin user to > change their own expired password. > >>> The only way that I can see at the moment is to 'manually' alter the >>> LDAP directory. i.e. Hash the password myself and insert it into the >>> database. Could someone point me in the right direction for the cn and >>> hashing algorithm I need to use? >> >> No prehashed password are refused, we need the clear text password to be >> able to create the kerberos keys. >> The best way is to use the ldappasswd extended operation, although >> probably writing the clear text password to userPassword should also >> work. > > OK, thanks. I've located a Java library which implements the correct > LDAP extended operations. I can change a non-expired password with no > problem, but I still can't change an expired password. I am using: > > http://www.unboundid.com/products/ldapsdk/ > > and I am attempting to bind to the LDAP directory using SimpleBindRequest > > http://www.unboundid.com/products/ldapsdk/docs/javadoc/com/unboundid/ldap/sdk/SimpleBindRequest.html > > This works fine for changing currently valid passwords, but I receive > "LDAPException :invalid credentials" when attempting to bind using an > expired password. Do I need to use a different bind type? There are > several available: ANONYMOUSBindRequest, CRAMMD5BindRequest, > DIGESTMD5BindRequest, EXTERNALBindRequest, GSSAPIBindRequest, > PLAINBindRequest, SASLBindRequest. I assume that anonymous won't work. > Maybe I need to request the kadmin/changepw ticket requested above > using Kerberos and use this to bind to LDAP? > > Is there any documentation related to all this? Anything would be > great but if there's anything related to the way it works in FreeIPA > that would be even better. I've been searching high and low and I'm > not really having much luck. > > Thanks, > > Dan > ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: Fwd: [Freeipa-users] Library to change expired password
Dan Scott wrote: On Sat, Oct 31, 2009 at 12:50, Simo Sorce wrote: On Fri, 2009-10-30 at 18:16 -0400, Dan Scott wrote: OK, that makes sense, thanks. But there's still one thing I don't really understand. How do the ipa tools obtain a ticket for the RPC when the password has expired? They don't, password change is done via kpasswd (or direct connection to ldap and ldappasswd operation). So kpasswd can alter the LDAP directory without a ticket? Let me check to see if I've got this straight. There are no IPA specific tools for changing an expired password? It can be done using kpasswd (Which I really don't understand) or with a simple ldap bind where the expired password is used for binding? Further, there is no python library for changing the expired password? Is the above correct? The only way that I can see at the moment is to 'manually' alter the LDAP directory. i.e. Hash the password myself and insert it into the database. Could someone point me in the right direction for the cn and hashing algorithm I need to use? No, you should not change a password using a pre-hashed value. You should always send a clear text password - otherwise, IPA has no way to generate the different hashes/keys it needs. Thanks again for all the replies, Dan ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: Fwd: [Freeipa-users] Library to change expired password
On Sat, Oct 31, 2009 at 12:50, Simo Sorce wrote: > On Fri, 2009-10-30 at 18:16 -0400, Dan Scott wrote: >> OK, that makes sense, thanks. But there's still one thing I don't >> really understand. How do the ipa tools obtain a ticket for the RPC >> when the password has expired? > > They don't, password change is done via kpasswd (or direct connection to > ldap and ldappasswd operation). So kpasswd can alter the LDAP directory without a ticket? Let me check to see if I've got this straight. There are no IPA specific tools for changing an expired password? It can be done using kpasswd (Which I really don't understand) or with a simple ldap bind where the expired password is used for binding? Further, there is no python library for changing the expired password? Is the above correct? The only way that I can see at the moment is to 'manually' alter the LDAP directory. i.e. Hash the password myself and insert it into the database. Could someone point me in the right direction for the cn and hashing algorithm I need to use? Thanks again for all the replies, Dan ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: Fwd: [Freeipa-users] Library to change expired password
On Sun, 2009-11-01 at 22:26 -0500, Dan Scott wrote: > On Sat, Oct 31, 2009 at 12:50, Simo Sorce wrote: > > On Fri, 2009-10-30 at 18:16 -0400, Dan Scott wrote: > >> OK, that makes sense, thanks. But there's still one thing I don't > >> really understand. How do the ipa tools obtain a ticket for the RPC > >> when the password has expired? > > > > They don't, password change is done via kpasswd (or direct connection to > > ldap and ldappasswd operation). > > So kpasswd can alter the LDAP directory without a ticket? kpasswd can take a ticket for kadmin/chang...@realm > Let me check to see if I've got this straight. There are no IPA > specific tools for changing an expired password? Admin can always reset other users passwords, but they will be expired. > It can be done using > kpasswd (Which I really don't understand) or with a simple ldap bind > where the expired password is used for binding? Further, there is no > python library for changing the expired password? Is the above > correct? Correct. > The only way that I can see at the moment is to 'manually' alter the > LDAP directory. i.e. Hash the password myself and insert it into the > database. Could someone point me in the right direction for the cn and > hashing algorithm I need to use? No prehashed password are refused, we need the clear text password to be able to create the kerberos keys. The best way is to use the ldappasswd extended operation, although probably writing the clear text password to userPassword should also work. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: Fwd: [Freeipa-users] Library to change expired password
On Fri, 2009-10-30 at 18:16 -0400, Dan Scott wrote: > OK, that makes sense, thanks. But there's still one thing I don't > really understand. How do the ipa tools obtain a ticket for the RPC > when the password has expired? They don't, password change is done via kpasswd (or direct connection to ldap and ldappasswd operation). Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Fwd: [Freeipa-users] Library to change expired password
Sorry, forgot to copy everyone else in. Dan -- Forwarded message -- From: Dan Scott Date: Fri, Oct 30, 2009 at 18:15 Subject: Re: [Freeipa-users] Library to change expired password To: Rob Crittenden Hi, On Fri, Oct 30, 2009 at 17:42, Rob Crittenden wrote: > Dan Scott wrote: >>> >>> This may not be too difficult to do in a web form (SSL protected, of >>> course). You should be able to create a non-kerberos auth page that >>> prompts >>> for username, old and new password and a submit button. You could pass >>> this >>> onto a a simple backend that does an LDAP bind as the user with the old >>> password then use ldap_passwd() to set the new password. >> >> Thanks. Do you have a particular language in mind for the >> ldap_passwd() command? This sounds like a good way to go about it. >> I've been looking at the ldappasswd command to figure out the correct >> arguments, but this seems to require an SSL connection (Which is not >> currently configured on my ipa server). This is strange, as ipa-passwd >> and/or kpasswd don't appear to require SSL (maybe I'm wrong about >> this). Anyway, is there a way to do this without using SSL? > > I'll respond in reverse. > > I don't believe the LDAP server will accept password changes over an > unencrypted channel, so you either need to bind using GSSAPI or use SSL. > > We use forwarded tickets in XML-RPC so our LDAP connections don't use SSL, > we do a GSSAPI bind which brings its own encryption. You will have to do a > simple bind since you'll just have a username/password. OK, that makes sense, thanks. But there's still one thing I don't really understand. How do the ipa tools obtain a ticket for the RPC when the password has expired? This is the fundamental problem that I have. I can't obtain a ticket because the password has expired and I can't change the password because I don't have a ticket! :) > You can do it in whatever language you feel most comfortable with. You can > write it as a CGI using perl, use mod_python, PHP, etc. All of these have > some amount of LDAP support. OK, thanks. The reason I'm asking is because I've looked through most/all of these technologies and I can't find much/anything related to changing expired passwords. Admittedly, when I was looking for this, I was attempting to use Kerberos, not LDAP. But the problem appears the same for LDAP password changing support. Python seems to be the exception where there is a good kerberos library (and I have played around with this, but my Python knowledge is very poor.:) ). There doesn't appear to be a php-kerberos library (Well, there is one for kadm, but not MIT kerberos). Java has Kerberos support for the Login protocol via JAAS, but no support for changing passwords. There's no java LDAP change password functionality, only direct directory manipulation. I'm not sure whether I'm trying to do something wrong, but it doesn't seem like anyone else has had this problem before me. It seems very strange that none of these technologies have good password change support. Am I going about this the wrong way? :) >> I might be making this all far too complicated. I have considered >> using JNI to wrap a c kerberos library. Does this sound like a >> reasonable idea? > > I'm pretty sure Java supports kerberos natively. It can also speak LDAP > natively. Sure, it does, primarily for login functionality. But support for password changes does not appear to exist without client side hashing and direct directory manipulation. Thanks for your responses, they're very useful. Dan ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Library to change expired password
Dan Scott wrote: This may not be too difficult to do in a web form (SSL protected, of course). You should be able to create a non-kerberos auth page that prompts for username, old and new password and a submit button. You could pass this onto a a simple backend that does an LDAP bind as the user with the old password then use ldap_passwd() to set the new password. Thanks. Do you have a particular language in mind for the ldap_passwd() command? This sounds like a good way to go about it. I've been looking at the ldappasswd command to figure out the correct arguments, but this seems to require an SSL connection (Which is not currently configured on my ipa server). This is strange, as ipa-passwd and/or kpasswd don't appear to require SSL (maybe I'm wrong about this). Anyway, is there a way to do this without using SSL? I'll respond in reverse. I don't believe the LDAP server will accept password changes over an unencrypted channel, so you either need to bind using GSSAPI or use SSL. We use forwarded tickets in XML-RPC so our LDAP connections don't use SSL, we do a GSSAPI bind which brings its own encryption. You will have to do a simple bind since you'll just have a username/password. We configure SSL for the LDAP server so as long as you trust the IPA CA you can do an SSL connection. You can do it in whatever language you feel most comfortable with. You can write it as a CGI using perl, use mod_python, PHP, etc. All of these have some amount of LDAP support. I might be making this all far too complicated. I have considered using JNI to wrap a c kerberos library. Does this sound like a reasonable idea? I'm pretty sure Java supports kerberos natively. It can also speak LDAP natively. Is there any documentation on the FreeIPA XMLRPC which I can read? I have the API, but no more. I had to dig into the apache configuration to find the domain path context (/xml/ipa). Yes, just the API is documented, there aren't any programming examples other than the code itself AFAIK. One thing you can do is add the -v option to the ipa command-line tools to see the XML-RPC request/response. That might help. Thanks for that tip. It's useful to see the RPCs. Just to confirm, there's no way to perform the 'un-authenticated' XML RPC to change a password, even if the expired password is supplied in the call? Right, no unauthenticated access. We let Apache's mod_auth_kerb module handle authentication for us and expect a ticket in the entry point. Even if you configured it to not require a ticket things would very likely blow up. That said, you can probably look at ipaldap.py for inspiration on how to do the password change in python (if you choose to go that route). Thanks, Dan Scott http://danieljamesscott.org rob smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Library to change expired password
Hi, Thanks for your replies. On Fri, Oct 30, 2009 at 09:29, Rob Crittenden wrote: > Jason Gerard DeRose wrote: >> >> On Thu, 2009-10-29 at 17:56 -0400, Dan Scott wrote: >>> >>> Hi, >>> >>> I'm trying to integrate FreeIPA with a Java webapp using JAAS. I have >>> the login module configured properly and it is working fine. >>> >>> However, I have a problem with the initial user setup. New accounts >>> are created with expired passwords for good reason. However, I would >>> like a way to for a user to change their expired kerberos password >>> which does not use the command line. e.g. an SSL web form. >>> >>> On searching the web, there does not appear to be a (free) java >>> library which implements the same functionality as ipa-passwd, kinit >>> or ssh for changing expired passwords. Does anyone know if such a >>> thing exists? The IPA documentation indicates that ssh has an option >>> 'challenge-response' for changing expired passwords. I would like the >>> same functionality on a web page. >> >> Yes, you raise a good point and we obviously need a way to do this via >> the web UI. >> >> Rob, if a user's password is expired, how does the password change work? >> Does the user still do a Kerberos auth with the old password, or do we >> need a non-Kerberos protected web page through which to update the >> password? >> >> Either way, this will be a simple thing to add to the UI. > > As Sumit said, the self-service page currently requires kerberos so you'd > have to get a TGT first which means you need a valid password. > > This may not be too difficult to do in a web form (SSL protected, of > course). You should be able to create a non-kerberos auth page that prompts > for username, old and new password and a submit button. You could pass this > onto a a simple backend that does an LDAP bind as the user with the old > password then use ldap_passwd() to set the new password. Thanks. Do you have a particular language in mind for the ldap_passwd() command? This sounds like a good way to go about it. I've been looking at the ldappasswd command to figure out the correct arguments, but this seems to require an SSL connection (Which is not currently configured on my ipa server). This is strange, as ipa-passwd and/or kpasswd don't appear to require SSL (maybe I'm wrong about this). Anyway, is there a way to do this without using SSL? I might be making this all far too complicated. I have considered using JNI to wrap a c kerberos library. Does this sound like a reasonable idea? >>> Is there any documentation on the FreeIPA XMLRPC which I can read? I >>> have the API, but no more. I had to dig into the apache configuration >>> to find the domain path context (/xml/ipa). > > Yes, just the API is documented, there aren't any programming examples other > than the code itself AFAIK. > > One thing you can do is add the -v option to the ipa command-line tools to > see the XML-RPC request/response. That might help. Thanks for that tip. It's useful to see the RPCs. Just to confirm, there's no way to perform the 'un-authenticated' XML RPC to change a password, even if the expired password is supplied in the call? Thanks, Dan Scott http://danieljamesscott.org ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Library to change expired password
Dmitri Pal wrote: As Sumit said, the self-service page currently requires kerberos so you'd have to get a TGT first which means you need a valid password. This may not be too difficult to do in a web form (SSL protected, of course). You should be able to create a non-kerberos auth page that prompts for username, old and new password and a submit button. You could pass this onto a a simple backend that does an LDAP bind as the user with the old password then use ldap_passwd() to set the new password. Is there anything we can leverage from what Pavel has done with non kerberos migration page? I know this is a completely different case under the hood but for end user they seem pretty similar so may be there is a way to take advantage of what Pavel already implemented. It is certainly similar in principal. I need to review Pavel's work a bit more to determine how much could be leveraged. rob smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Library to change expired password
> > As Sumit said, the self-service page currently requires kerberos so > you'd have to get a TGT first which means you need a valid password. > > This may not be too difficult to do in a web form (SSL protected, of > course). You should be able to create a non-kerberos auth page that > prompts for username, old and new password and a submit button. You > could pass this onto a a simple backend that does an LDAP bind as the > user with the old password then use ldap_passwd() to set the new > password. Is there anything we can leverage from what Pavel has done with non kerberos migration page? I know this is a completely different case under the hood but for end user they seem pretty similar so may be there is a way to take advantage of what Pavel already implemented. -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Library to change expired password
Jason Gerard DeRose wrote: On Thu, 2009-10-29 at 17:56 -0400, Dan Scott wrote: Hi, I'm trying to integrate FreeIPA with a Java webapp using JAAS. I have the login module configured properly and it is working fine. However, I have a problem with the initial user setup. New accounts are created with expired passwords for good reason. However, I would like a way to for a user to change their expired kerberos password which does not use the command line. e.g. an SSL web form. On searching the web, there does not appear to be a (free) java library which implements the same functionality as ipa-passwd, kinit or ssh for changing expired passwords. Does anyone know if such a thing exists? The IPA documentation indicates that ssh has an option 'challenge-response' for changing expired passwords. I would like the same functionality on a web page. Yes, you raise a good point and we obviously need a way to do this via the web UI. Rob, if a user's password is expired, how does the password change work? Does the user still do a Kerberos auth with the old password, or do we need a non-Kerberos protected web page through which to update the password? Either way, this will be a simple thing to add to the UI. As Sumit said, the self-service page currently requires kerberos so you'd have to get a TGT first which means you need a valid password. This may not be too difficult to do in a web form (SSL protected, of course). You should be able to create a non-kerberos auth page that prompts for username, old and new password and a submit button. You could pass this onto a a simple backend that does an LDAP bind as the user with the old password then use ldap_passwd() to set the new password. Assuming that this is true (which I find very hard to believe), then I can think of 3 possible solutions: 1. Attempt to execute the system commands from within Java (Yuck - quite apart from the difficulties of escaping the arguments, the password will be displayed in the system process list while the command is being executed). 2. Use XMLRPC. Although this introduces another whole layer into the system, this might be the best way to go. 3. Update the users password expiry in the LDAP directory to (say) 1 day in the future so that they can login. I am currently looking at the XMLRPC route. However, no matter what request I send to the server, I receive 'XmlRpcException:HTTP server returned unexpected status: Authorization Required'. Do I need to store the details of the failed login so that I can authorize my RPC? Ah, you've raised an important question that we currently don't have documented, AFAIK. Your XML-RPC client will have to set the 'Authorization' header for the Kerberos negotiation. But as some clients might not allow you to set the HTTP headers, we obviously need other mechanisms, including using just a username/password. One can set KrbMethodK5Passwd to on in /etc/httpd/conf.d/ipa.conf to allow it to fall back to username/password authentication. Still requires a non-expired password though. Is there any documentation on the FreeIPA XMLRPC which I can read? I have the API, but no more. I had to dig into the apache configuration to find the domain path context (/xml/ipa). Yes, just the API is documented, there aren't any programming examples other than the code itself AFAIK. One thing you can do is add the -v option to the ipa command-line tools to see the XML-RPC request/response. That might help. Right now the documentation is scarce, but we're currently working on solidifying and formalizing the XML-RPC API and plan to document it in detail once this is done. Yeah, we'll have to see if we can get some sample requests into the v2 API docs. Thanks for your interest in FreeIPA and we appreciate your feedback! Thanks, Dan Scott http://danieljamesscott.org rob smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Library to change expired password
On Thu, Oct 29, 2009 at 10:54:01PM -0600, Jason Gerard DeRose wrote: > On Thu, 2009-10-29 at 17:56 -0400, Dan Scott wrote: > > Hi, > > > > I'm trying to integrate FreeIPA with a Java webapp using JAAS. I have > > the login module configured properly and it is working fine. > > > > However, I have a problem with the initial user setup. New accounts > > are created with expired passwords for good reason. However, I would > > like a way to for a user to change their expired kerberos password > > which does not use the command line. e.g. an SSL web form. > > > > On searching the web, there does not appear to be a (free) java > > library which implements the same functionality as ipa-passwd, kinit > > or ssh for changing expired passwords. Does anyone know if such a > > thing exists? The IPA documentation indicates that ssh has an option > > 'challenge-response' for changing expired passwords. I would like the > > same functionality on a web page. > > Yes, you raise a good point and we obviously need a way to do this via > the web UI. > > Rob, if a user's password is expired, how does the password change work? > Does the user still do a Kerberos auth with the old password, or do we > need a non-Kerberos protected web page through which to update the > password? > > Either way, this will be a simple thing to add to the UI. > If the password is expired you get KRB5KDC_ERR_KEY_EXP when requesting a TGT. Please note that you will always get this response not matter if the password matches the old password or not. You can then request a password change ticket, principle: kadmin/changepw, with tho old password and run the password change with this ticket. I would expect that you cannot use a kerberos protected page, because you do not have a TGT and cannot request a service ticket for the web server. bye, Sumit ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Library to change expired password
On Thu, 2009-10-29 at 17:56 -0400, Dan Scott wrote: > Hi, > > I'm trying to integrate FreeIPA with a Java webapp using JAAS. I have > the login module configured properly and it is working fine. > > However, I have a problem with the initial user setup. New accounts > are created with expired passwords for good reason. However, I would > like a way to for a user to change their expired kerberos password > which does not use the command line. e.g. an SSL web form. > > On searching the web, there does not appear to be a (free) java > library which implements the same functionality as ipa-passwd, kinit > or ssh for changing expired passwords. Does anyone know if such a > thing exists? The IPA documentation indicates that ssh has an option > 'challenge-response' for changing expired passwords. I would like the > same functionality on a web page. Yes, you raise a good point and we obviously need a way to do this via the web UI. Rob, if a user's password is expired, how does the password change work? Does the user still do a Kerberos auth with the old password, or do we need a non-Kerberos protected web page through which to update the password? Either way, this will be a simple thing to add to the UI. > Assuming that this is true (which I find very hard to believe), then I > can think of 3 possible solutions: > > 1. Attempt to execute the system commands from within Java (Yuck - > quite apart from the difficulties of escaping the arguments, the > password will be displayed in the system process list while the > command is being executed). > 2. Use XMLRPC. Although this introduces another whole layer into the > system, this might be the best way to go. > 3. Update the users password expiry in the LDAP directory to (say) 1 > day in the future so that they can login. > > I am currently looking at the XMLRPC route. However, no matter what > request I send to the server, I receive 'XmlRpcException:HTTP server > returned unexpected status: Authorization Required'. Do I need to > store the details of the failed login so that I can authorize my RPC? Ah, you've raised an important question that we currently don't have documented, AFAIK. Your XML-RPC client will have to set the 'Authorization' header for the Kerberos negotiation. But as some clients might not allow you to set the HTTP headers, we obviously need other mechanisms, including using just a username/password. For what it's worth, this is the Python code Rob wrote for doing this (line 318 in ipalib/rpc.py): class KerbTransport(SSLTransport): """ Handles Kerberos Negotiation authentication to an XML-RPC server. """ def _handle_exception(self, e, service=None): (major, minor) = ipautil.get_gsserror(e) if minor[1] == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN: raise errors.ServiceError(service=service) elif minor[1] == KRB5_FCC_NOFILE: raise errors.NoCCacheError() elif minor[1] == KRB5KRB_AP_ERR_TKT_EXPIRED: raise errors.TicketExpired() elif minor[1] == KRB5_FCC_PERM: raise errors.BadCCachePerms() elif minor[1] == KRB5_CC_FORMAT: raise errors.BadCCacheFormat() elif minor[1] == KRB5_REALM_CANT_RESOLVE: raise errors.CannotResolveKDC() else: raise errors.KerberosError(major=major, minor=minor) def get_host_info(self, host): (host, extra_headers, x509) = SSLTransport.get_host_info(self, host) # Set the remote host principal service = "HTTP@" + host.split(':')[0] try: (rc, vc) = kerberos.authGSSClientInit(service, kerberos.GSS_C_DELEG_FLAG | kerberos.GSS_C_MUTUAL_FLAG | kerberos.GSS_C_SEQUENCE_FLAG) except kerberos.GSSError, e: self._handle_exception(e) try: kerberos.authGSSClientStep(vc, "") except kerberos.GSSError, e: self._handle_exception(e, service=service) extra_headers = [ ('Authorization', 'negotiate %s' % kerberos.authGSSClientResponse(vc)) ] return (host, extra_headers, x509) > Is there any documentation on the FreeIPA XMLRPC which I can read? I > have the API, but no more. I had to dig into the apache configuration > to find the domain path context (/xml/ipa). Right now the documentation is scarce, but we're currently working on solidifying and formalizing the XML-RPC API and plan to document it in detail once this is done. Thanks for your interest in FreeIPA and we appreciate your feedback! > Thanks, > > Dan Scott > http://danieljamesscott.org > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@re
[Freeipa-users] Library to change expired password
Hi, I'm trying to integrate FreeIPA with a Java webapp using JAAS. I have the login module configured properly and it is working fine. However, I have a problem with the initial user setup. New accounts are created with expired passwords for good reason. However, I would like a way to for a user to change their expired kerberos password which does not use the command line. e.g. an SSL web form. On searching the web, there does not appear to be a (free) java library which implements the same functionality as ipa-passwd, kinit or ssh for changing expired passwords. Does anyone know if such a thing exists? The IPA documentation indicates that ssh has an option 'challenge-response' for changing expired passwords. I would like the same functionality on a web page. Assuming that this is true (which I find very hard to believe), then I can think of 3 possible solutions: 1. Attempt to execute the system commands from within Java (Yuck - quite apart from the difficulties of escaping the arguments, the password will be displayed in the system process list while the command is being executed). 2. Use XMLRPC. Although this introduces another whole layer into the system, this might be the best way to go. 3. Update the users password expiry in the LDAP directory to (say) 1 day in the future so that they can login. I am currently looking at the XMLRPC route. However, no matter what request I send to the server, I receive 'XmlRpcException:HTTP server returned unexpected status: Authorization Required'. Do I need to store the details of the failed login so that I can authorize my RPC? Is there any documentation on the FreeIPA XMLRPC which I can read? I have the API, but no more. I had to dig into the apache configuration to find the domain path context (/xml/ipa). Thanks, Dan Scott http://danieljamesscott.org ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users