Fwd: [Freeipa-users] Library to change expired password
Rich Megginson
rmeggins at redhat.com
Mon Nov 2 21:32:15 UTC 2009
Dan Scott wrote:
> On Sat, Oct 31, 2009 at 12:50, Simo Sorce <ssorce at redhat.com> wrote:
>
>> On Fri, 2009-10-30 at 18:16 -0400, Dan Scott wrote:
>>
>>> OK, that makes sense, thanks. But there's still one thing I don't
>>> really understand. How do the ipa tools obtain a ticket for the RPC
>>> when the password has expired?
>>>
>> They don't, password change is done via kpasswd (or direct connection to
>> ldap and ldappasswd operation).
>>
>
> So kpasswd can alter the LDAP directory without a ticket?
>
> Let me check to see if I've got this straight. There are no IPA
> specific tools for changing an expired password? It can be done using
> kpasswd (Which I really don't understand) or with a simple ldap bind
> where the expired password is used for binding? Further, there is no
> python library for changing the expired password? Is the above
> correct?
>
> The only way that I can see at the moment is to 'manually' alter the
> LDAP directory. i.e. Hash the password myself and insert it into the
> database. Could someone point me in the right direction for the cn and
> hashing algorithm I need to use?
>
No, you should not change a password using a pre-hashed value. You
should always send a clear text password - otherwise, IPA has no way to
generate the different hashes/keys it needs.
> Thanks again for all the replies,
>
> Dan
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3258 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20091102/e710fb26/attachment.bin>
More information about the Freeipa-users
mailing list