[Freeipa-devel] [PATCH] 877 prompt for current password
Rob Crittenden
rcritten at redhat.com
Mon Oct 3 19:16:31 UTC 2011
Martin Kosek wrote:
> On Mon, 2011-09-19 at 09:03 -0400, Rob Crittenden wrote:
>> Jan Cholasta wrote:
>>> On 16.9.2011 21:16, Rob Crittenden wrote:
>>>> Prompt for the current password when changing your own password using
>>>> ipa passwd.
>>>>
>>>> I had to jump through several hoops with this:
>>>>
>>>> - Added a new sortorder option so the Current password is prompted first
>>>
>>> IMO something like "before='password'" would be more readable and
>>> probably less error-prone than "sortorder=-1".
>>
>> The params are sorted numerically based on whether they are required,
>> have a default, etc. A negative value means it will appear first. This
>> is intended to be generic enough without having to worry about nested
>> resolution (A before B, B before C, C before A).
>>
>>>
>>>> - Pass a magic value for current_password if changing someone else's
>>>> password
>>>>
>>>> NOTE: This breaks the API for passwd. There is no way around it. I have
>>>> this as a minor update as it won't cause older clients to blow up too
>>>> badly, but their passwd command won't work.
>>>>
>>>> rob
>>>>
>>>
>>> Honza
>>>
>
> Generally, it works fine except for the case when user passes its own
> user name. Do we want to support the following way?
>
> # klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: fbar at IDM.LAB.BOS.REDHAT.COM
>
> Valid starting Expires Service principal
> 09/23/11 09:48:05 09/24/11 09:48:05 krbtgt/IDM.LAB.BOS.REDHAT.COM at IDM.LAB.BOS.REDHAT.COM
>
> # ipa passwd fbar
> New Password:
> Enter New Password again to verify:
> ipa: ERROR: Insufficient access: Invalid credentials
>
> Maybe we could throw an error when user passes its own principal to ipa
> passwd command. After all, this argument is for changing _other_ user
> passwords.
>
> Martin
>
Fixed. The username wasn't being normalized into a principal until after
the default was set (where we determine whether to prompt for current
password).
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-rcrit-877-2-passwd.patch
Type: text/x-patch
Size: 4473 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111003/2cfa5d17/attachment.bin>
More information about the Freeipa-devel
mailing list