[Freeipa-devel] [PATCH] 274 Password change capability for form-based auth
Martin Kosek
mkosek at redhat.com
Mon Jun 11 12:17:37 UTC 2012
On Mon, 2012-06-11 at 10:36 +0200, Martin Kosek wrote:
> On Thu, 2012-06-07 at 23:07 -0400, Simo Sorce wrote:
> > On Thu, 2012-06-07 at 22:28 -0400, Rob Crittenden wrote:
> > > Martin Kosek wrote:
> > > > You can use the attached script (changepw.py) to test the PW change
> > > > interface from command line (on IPA server).
> > > >
> > > > ---
> > > >
> > > > IPA server web form-based authentication allows logins for users
> > > > which for some reason cannot use Kerberos authentication. However,
> > > > when a password for such users expires, they are unable change the
> > > > password via web interface.
> > > >
> > > > This patch adds a new WSGI script attached to URL
> > > > /ipa/session/change_password which can be accessed without
> > > > authentication and which provides password change capability
> > > > for web services.
> > > >
> > > > The actual password change in the script is processed with kpasswd
> > > > to be consistent with /ipa/session/login_password.
> > > >
> > > > Password result is passed both in the resulting HTML page, but
> > > > also in HTTP headers for easier parsing in web services:
> > > > X-IPA-Pwchange-Result: {ok, invalid-password, policy-error}
> > > > (optional) X-IPA-Pwchange-Policy-Error: $policy_error_text
> > > >
> > > > https://fedorahosted.org/freeipa/ticket/2276
> > >
> > > It is probably more efficient to change the password using ldap. Simo,
> > > do you know of an advantage of using one over the other? Better password
> > > policy reporting may be reason enough.
> >
> > Yes you'll get better error reporting, plus forking out kpasswd is quite
> > ugly, the python ldap code should be able to use the ldap passwd extend
> > op quite easily.
> >
> > Simo.
> >
>
> Ok, sending a second version of the patch based on password change via
> LDAP. The error reporting is indeed easier and with no hard-coded
> parsing.
>
> Martin
This patch will only work with SELinux disabled, it seems there is a
regression in SELinux policy which does not allow httpd to connect to
dirsrv socket. I logged a Bug:
https://bugzilla.redhat.com/show_bug.cgi?id=830764
This issue also disables other pages using dirsrv socket, like the
migration page or password-expiration detection in form-based auth.
Martin
More information about the Freeipa-devel
mailing list