[Freeipa-devel] User life-cycle: nsAccountLock
Simo Sorce
ssorce at redhat.com
Thu Jun 19 12:33:10 UTC 2014
On Thu, 2014-06-19 at 09:06 +0200, Martin Kosek wrote:
> On 06/18/2014 06:09 PM, Simo Sorce wrote:
> > On Wed, 2014-06-18 at 17:49 +0200, thierry bordaz wrote:
> >> On 06/18/2014 04:45 PM, Simo Sorce wrote:
> >>> On Wed, 2014-06-18 at 16:20 +0200, thierry bordaz wrote:
> >>>> On 06/18/2014 03:31 PM, Simo Sorce wrote:
> >>>>> On Wed, 2014-06-18 at 12:47 +0200, Martin Kosek wrote:
> >>>>>> On 06/17/2014 05:59 PM, thierry bordaz wrote:
> >>>>>>> On 06/16/2014 03:04 PM, Rob Crittenden wrote:
> ...
> >>> Right, if we allow setting userPassword this would happen, but then if
> >>> we allow setting userPassword do we also generate Kerberos Keys ?
> >
> >> Currently setting of the userPassword (add entry or mod entry) triggers
> >> generation of krb keys (I guess in ipa-kdb).
> >
> > No it happen in ipa-pwd-extop
> >
> >>> If this is the case then we probably need to change the pre-bind plugin
> >>> (and ipa-kdb ?) to explicitly exclude staging (and deleted ?).
> >
> >> Do you mean to prevent ipa-kdb to generate krb keys when the this is
> >> Delete/Staging
> >
> > No I mean to prevent the ipa-kdb driver (it's the KDC driver) from
> > returning any key even if present for entries in those suffixes.
>
> IMO we should definitely allow provisioning system to set userPassword, looks
> like a valid use case to me.
>
> >>> I was actually planning to use staging to allow kadmin to create
> >>> entries, so we need to be careful how ipa-kdb limits access to staging,
> >>> I would guess it should pretend KrbKerberosKey is not present for those
> >>> entries.
>
> When someone creates user with plain text userPassword, we normally hash it and
> also generate krbPrincipalKey, right? Should we then simply avoid both
> operations in the staging area, let the password be stored in plain text and
> let the Kerberos keys and attributes be generated during user activation? It
> will happen via recreating the entry anyway, so the right operations should be
> triggered.
No, we do not store plain text passwords.
Simo.
More information about the Freeipa-devel
mailing list