[Freeipa-devel] [PATCH] 274 Password change capability for form-based auth

Mon Jun 11 17:52:00 UTC 2012

Martin Kosek wrote:
> On Mon, 2012-06-11 at 10:36 +0200, Martin Kosek wrote:
>> On Thu, 2012-06-07 at 23:07 -0400, Simo Sorce wrote:
>>> On Thu, 2012-06-07 at 22:28 -0400, Rob Crittenden wrote:
>>>> Martin Kosek wrote:
>>>>> You can use the attached script (changepw.py) to test the PW change
>>>>> interface from command line (on IPA server).
>>>>>
>>>>> ---
>>>>>
>>>>> IPA server web form-based authentication allows logins for users
>>>>> which for some reason cannot use Kerberos authentication. However,
>>>>> when a password for such users expires, they are unable change the
>>>>> password via web interface.
>>>>>
>>>>> This patch adds a new WSGI script attached to URL
>>>>> /ipa/session/change_password which can be accessed without
>>>>> authentication and which provides password change capability
>>>>> for web services.
>>>>>
>>>>> The actual password change in the script is processed with kpasswd
>>>>> to be consistent with /ipa/session/login_password.
>>>>>
>>>>> Password result is passed both in the resulting HTML page, but
>>>>> also in HTTP headers for easier parsing in web services:
>>>>>     X-IPA-Pwchange-Result: {ok, invalid-password, policy-error}
>>>>>     (optional) X-IPA-Pwchange-Policy-Error: $policy_error_text
>>>>>
>>>>> https://fedorahosted.org/freeipa/ticket/2276
>>>>
>>>> It is probably more efficient to change the password using ldap. Simo,
>>>> do you know of an advantage of using one over the other? Better password
>>>> policy reporting may be reason enough.
>>>
>>> Yes you'll get better error reporting, plus forking out kpasswd is quite
>>> ugly, the python ldap code should be able to use the ldap passwd extend
>>> op quite easily.
>>>
>>> Simo.
>>>
>>
>> Ok, sending a second version of the patch based on password change via
>> LDAP. The error reporting is indeed easier and with no hard-coded
>> parsing.
>>
>> Martin
>
> This patch will only work with SELinux disabled, it seems there is a
> regression in SELinux policy which does not allow httpd to connect to
> dirsrv socket. I logged a Bug:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=830764
>
> This issue also disables other pages using dirsrv socket, like the
> migration page or password-expiration detection in form-based auth.
>
> Martin

For '200 Success' you can use rpcserver.HTTP_STATUS_SUCCESS.

This works ok and does successfully change passwords but I don't like 
the logging very much. It should say that this is the password request 
URI somewhere at a minimum. Having the HTTP response is a bit strange 
too, and I don't know if a 400 should be logged as info.

I think this test program could be made into a test suite too, 
particularly to check the more esoteric parts like checking for missing 
options, too many options, etc.

rob