[Freeipa-devel] [PATCH] 877 prompt for current password

Martin Kosek mkosek at redhat.com
Tue Oct 4 13:18:43 UTC 2011 

On Tue, 2011-10-04 at 08:59 -0400, Rob Crittenden wrote:
> Martin Kosek wrote:
> > On Mon, 2011-10-03 at 15:16 -0400, Rob Crittenden wrote:
> >> Martin Kosek wrote:
> >>> On Mon, 2011-09-19 at 09:03 -0400, Rob Crittenden wrote:
> >>>> Jan Cholasta wrote:
> >>>>> On 16.9.2011 21:16, Rob Crittenden wrote:
> >>>>>> Prompt for the current password when changing your own password using
> >>>>>> ipa passwd.
> >>>>>>
> >>>>>> I had to jump through several hoops with this:
> >>>>>>
> >>>>>> - Added a new sortorder option so the Current password is prompted first
> >>>>>
> >>>>> IMO something like "before='password'" would be more readable and
> >>>>> probably less error-prone than "sortorder=-1".
> >>>>
> >>>> The params are sorted numerically based on whether they are required,
> >>>> have a default, etc. A negative value means it will appear first. This
> >>>> is intended to be generic enough without having to worry about nested
> >>>> resolution (A before B, B before C, C before A).
> >>>>
> >>>>>
> >>>>>> - Pass a magic value for current_password if changing someone else's
> >>>>>> password
> >>>>>>
> >>>>>> NOTE: This breaks the API for passwd. There is no way around it. I have
> >>>>>> this as a minor update as it won't cause older clients to blow up too
> >>>>>> badly, but their passwd command won't work.
> >>>>>>
> >>>>>> rob
> >>>>>>
> >>>>>
> >>>>> Honza
> >>>>>
> >>>
> >>> Generally, it works fine except for the case when user passes its own
> >>> user name. Do we want to support the following way?
> >>>
> >>> # klist
> >>> Ticket cache: FILE:/tmp/krb5cc_0
> >>> Default principal: fbar at IDM.LAB.BOS.REDHAT.COM
> >>>
> >>> Valid starting     Expires            Service principal
> >>> 09/23/11 09:48:05  09/24/11 09:48:05  krbtgt/IDM.LAB.BOS.REDHAT.COM at IDM.LAB.BOS.REDHAT.COM
> >>>
> >>> # ipa passwd fbar
> >>> New Password:
> >>> Enter New Password again to verify:
> >>> ipa: ERROR: Insufficient access: Invalid credentials
> >>>
> >>> Maybe we could throw an error when user passes its own principal to ipa
> >>> passwd command. After all, this argument is for changing _other_ user
> >>> passwords.
> >>>
> >>> Martin
> >>>
> >>
> >> Fixed. The username wasn't being normalized into a principal until after
> >> the default was set (where we determine whether to prompt for current
> >> password).
> >>
> >> rob
> >
> > I don't think this is the correct patch :-)
> >
> > Martin
> >
> 
> Try this one.

Yeah, this one is much better. ACK and pushed to master, ipa-2-1.

Martin

More information about the Freeipa-devel mailing list