Fwd: [Freeipa-users] Library to change expired password
Simo Sorce
ssorce at redhat.com
Wed Nov 4 13:44:12 UTC 2009
On Tue, 2009-11-03 at 16:31 -0500, Dan Scott wrote:
> Sorry again, forgot to CC the mailing list.
>
> Dan
>
> On Tue, Nov 3, 2009 at 16:10, Dan Scott <danieljamesscott at gmail.com> wrote:
> > Hi,
> >
> > On Mon, Nov 2, 2009 at 07:33, Simo Sorce <ssorce at redhat.com> wrote:
> >> On Sun, 2009-11-01 at 22:26 -0500, Dan Scott wrote:
> >>> On Sat, Oct 31, 2009 at 12:50, Simo Sorce <ssorce at redhat.com> wrote:
> >>> > On Fri, 2009-10-30 at 18:16 -0400, Dan Scott wrote:
> >>> >> OK, that makes sense, thanks. But there's still one thing I don't
> >>> >> really understand. How do the ipa tools obtain a ticket for the RPC
> >>> >> when the password has expired?
> >>> >
> >>> > They don't, password change is done via kpasswd (or direct connection to
> >>> > ldap and ldappasswd operation).
> >>>
> >>> So kpasswd can alter the LDAP directory without a ticket?
> >>
> >> kpasswd can take a ticket for kadmin/changepw at REALM
> >
> > So is that a 'special' ticket, which can be obtained with an expired
> > password? Which can then be used to change the user's password?
Pretty much.
> >>> Let me check to see if I've got this straight. There are no IPA
> >>> specific tools for changing an expired password?
> >>
> >> Admin can always reset other users passwords, but they will be expired.
> >
> > Well sure, :) but changing a users expired password for another
> > expired password doesn't really help. I meant more along the lines
> > that there are no IPA specific tools which allow a non-admin user to
> > change their own expired password.
Yes the tool is called "kpasswd" :)
Or if you have properly configured (and it should if you use
ipa-client-install) you should also be able to use the normal "passwd"
command and perform the password change through the pam password stack.
> >>> The only way that I can see at the moment is to 'manually' alter the
> >>> LDAP directory. i.e. Hash the password myself and insert it into the
> >>> database. Could someone point me in the right direction for the cn and
> >>> hashing algorithm I need to use?
> >>
> >> No prehashed password are refused, we need the clear text password to be
> >> able to create the kerberos keys.
> >> The best way is to use the ldappasswd extended operation, although
> >> probably writing the clear text password to userPassword should also
> >> work.
> >
> > OK, thanks. I've located a Java library which implements the correct
> > LDAP extended operations. I can change a non-expired password with no
> > problem, but I still can't change an expired password. I am using:
> >
> > http://www.unboundid.com/products/ldapsdk/
> >
> > and I am attempting to bind to the LDAP directory using SimpleBindRequest
> >
> > http://www.unboundid.com/products/ldapsdk/docs/javadoc/com/unboundid/ldap/sdk/SimpleBindRequest.html
> >
> > This works fine for changing currently valid passwords, but I receive
> > "LDAPException :invalid credentials" when attempting to bind using an
> > expired password. Do I need to use a different bind type? There are
> > several available: ANONYMOUSBindRequest, CRAMMD5BindRequest,
> > DIGESTMD5BindRequest, EXTERNALBindRequest, GSSAPIBindRequest,
> > PLAINBindRequest, SASLBindRequest. I assume that anonymous won't work.
> > Maybe I need to request the kadmin/changepw ticket requested above
> > using Kerberos and use this to bind to LDAP?
> >
> > Is there any documentation related to all this? Anything would be
> > great but if there's anything related to the way it works in FreeIPA
> > that would be even better. I've been searching high and low and I'm
> > not really having much luck.
> >
What have you used so far ? Simple auth ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list