[Freeipa-devel] User life-cycle: nsAccountLock

Martin Kosek mkosek at redhat.com
Thu Jun 19 12:47:19 UTC 2014 

On 06/19/2014 02:33 PM, Simo Sorce wrote:
> On Thu, 2014-06-19 at 09:06 +0200, Martin Kosek wrote:
>> On 06/18/2014 06:09 PM, Simo Sorce wrote:
>>> On Wed, 2014-06-18 at 17:49 +0200, thierry bordaz wrote:
>>>> On 06/18/2014 04:45 PM, Simo Sorce wrote:
>>>>> On Wed, 2014-06-18 at 16:20 +0200, thierry bordaz wrote:
>>>>>> On 06/18/2014 03:31 PM, Simo Sorce wrote:
>>>>>>> On Wed, 2014-06-18 at 12:47 +0200, Martin Kosek wrote:
>>>>>>>> On 06/17/2014 05:59 PM, thierry bordaz wrote:
>>>>>>>>> On 06/16/2014 03:04 PM, Rob Crittenden wrote:
>> ...
>>>>> Right, if we allow setting userPassword this would happen, but then if
>>>>> we allow setting userPassword do we also generate Kerberos Keys ?
>>>
>>>> Currently setting of the userPassword (add entry or mod entry) triggers 
>>>> generation of krb keys (I guess in ipa-kdb).
>>>
>>> No it happen in ipa-pwd-extop
>>>
>>>>> If this is the case then we probably need to change the pre-bind plugin
>>>>> (and ipa-kdb ?) to explicitly exclude staging (and deleted ?).
>>>
>>>> Do you mean to prevent ipa-kdb to generate krb keys when the this is 
>>>> Delete/Staging
>>>
>>> No I mean to prevent the ipa-kdb driver (it's the KDC driver) from
>>> returning any key even if present for entries in those suffixes.
>>
>> IMO we should definitely allow provisioning system to set userPassword, looks
>> like a valid use case to me.
>>
>>>>> I was actually planning to use staging to allow kadmin to create
>>>>> entries, so we need to be careful how ipa-kdb limits access to staging,
>>>>> I would guess it should pretend KrbKerberosKey is not present for those
>>>>> entries.
>>
>> When someone creates user with plain text userPassword, we normally hash it and
>> also generate krbPrincipalKey, right? Should we then simply avoid both
>> operations in the staging area, let the password be stored in plain text and
>> let the Kerberos keys and attributes be generated during user activation? It
>> will happen via recreating the entry anyway, so the right operations should be
>> triggered.
> 
> No, we do not store plain text passwords.
> 
> Simo.

Ok, but then we need to allow generation krbPrincipalKey for staged users, when
a new user is filed and userPassword is set. Otherwise you would not be able to
generate the krpPrincipalKey during user activation.

Martin

More information about the Freeipa-devel mailing list