[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
Re: [Freeipa-devel] Capturing passwords for migration at bind-time?
- From: Simo Sorce <ssorce redhat com>
- To: John Dennis <jdennis redhat com>
- Cc: freeipa-devel redhat com
- Subject: Re: [Freeipa-devel] Capturing passwords for migration at bind-time?
- Date: Thu, 26 Jun 2008 12:08:40 -0400
On Thu, 2008-06-26 at 12:00 -0400, John Dennis wrote:
> Simo Sorce wrote:
> > On Thu, 2008-06-26 at 11:14 -0400, John Dennis wrote:
> >
> > > Nalin Dahyabhai wrote:
> > >
> > > > Would it be useful to also intercept the password used when a simple or
> > > > SASL/PLAIN bind requests succeed, and take the opportunity to generate
> > > > the hashes so that we can avoid forcing password changes?
> > > >
> > > >
> > > How do you plan to intercept the plain text password in IPA? We aren't
> > > in control of the services a user is likely to issue a SASL/PLAIN bind
> > > to are we?
> > >
> >
> > We control the LDAP server, that's the only SASL/PLAIN bind we care
> > about.
> >
> >
> Right, but when and in what context are users doing a plain bind to
> our LDAP server? Wouldn't this be very atypical?
This is a migration scenario, I see at least 2 ways:
a) some frontend (web?) app is built to proxy the user password to ldap
by performing a bind.
b) we provide a pam module smart enough to check the user status against
ldap if pam_kerb5 fails, and if it finds the user is in "upgrade" mode,
perform an (SSL protected) simple bind against the ldap server.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]