[Freeipa-devel] [PATCH] 274 Password change capability for form-based auth
Martin Kosek
mkosek at redhat.com
Mon Jun 11 08:36:45 UTC 2012
On Thu, 2012-06-07 at 23:07 -0400, Simo Sorce wrote:
> On Thu, 2012-06-07 at 22:28 -0400, Rob Crittenden wrote:
> > Martin Kosek wrote:
> > > You can use the attached script (changepw.py) to test the PW change
> > > interface from command line (on IPA server).
> > >
> > > ---
> > >
> > > IPA server web form-based authentication allows logins for users
> > > which for some reason cannot use Kerberos authentication. However,
> > > when a password for such users expires, they are unable change the
> > > password via web interface.
> > >
> > > This patch adds a new WSGI script attached to URL
> > > /ipa/session/change_password which can be accessed without
> > > authentication and which provides password change capability
> > > for web services.
> > >
> > > The actual password change in the script is processed with kpasswd
> > > to be consistent with /ipa/session/login_password.
> > >
> > > Password result is passed both in the resulting HTML page, but
> > > also in HTTP headers for easier parsing in web services:
> > > X-IPA-Pwchange-Result: {ok, invalid-password, policy-error}
> > > (optional) X-IPA-Pwchange-Policy-Error: $policy_error_text
> > >
> > > https://fedorahosted.org/freeipa/ticket/2276
> >
> > It is probably more efficient to change the password using ldap. Simo,
> > do you know of an advantage of using one over the other? Better password
> > policy reporting may be reason enough.
>
> Yes you'll get better error reporting, plus forking out kpasswd is quite
> ugly, the python ldap code should be able to use the ldap passwd extend
> op quite easily.
>
> Simo.
>
Ok, sending a second version of the patch based on password change via
LDAP. The error reporting is indeed easier and with no hard-coded
parsing.
Martin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-274-2-password-change-capability-for-form-based-auth.patch
Type: text/x-patch
Size: 8195 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20120611/b0208d24/attachment.bin>
More information about the Freeipa-devel
mailing list