[Freeipa-devel] [PATCH] 274 Password change capability for form-based auth
Simo Sorce
simo at redhat.com
Fri Jun 8 03:07:15 UTC 2012
On Thu, 2012-06-07 at 22:28 -0400, Rob Crittenden wrote:
> Martin Kosek wrote:
> > You can use the attached script (changepw.py) to test the PW change
> > interface from command line (on IPA server).
> >
> > ---
> >
> > IPA server web form-based authentication allows logins for users
> > which for some reason cannot use Kerberos authentication. However,
> > when a password for such users expires, they are unable change the
> > password via web interface.
> >
> > This patch adds a new WSGI script attached to URL
> > /ipa/session/change_password which can be accessed without
> > authentication and which provides password change capability
> > for web services.
> >
> > The actual password change in the script is processed with kpasswd
> > to be consistent with /ipa/session/login_password.
> >
> > Password result is passed both in the resulting HTML page, but
> > also in HTTP headers for easier parsing in web services:
> > X-IPA-Pwchange-Result: {ok, invalid-password, policy-error}
> > (optional) X-IPA-Pwchange-Policy-Error: $policy_error_text
> >
> > https://fedorahosted.org/freeipa/ticket/2276
>
> It is probably more efficient to change the password using ldap. Simo,
> do you know of an advantage of using one over the other? Better password
> policy reporting may be reason enough.
Yes you'll get better error reporting, plus forking out kpasswd is quite
ugly, the python ldap code should be able to use the ldap passwd extend
op quite easily.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list