[Freeipa-devel] Capturing passwords for migration at bind-time?
Simo Sorce
ssorce at redhat.com
Thu Jun 26 16:08:40 UTC 2008
On Thu, 2008-06-26 at 12:00 -0400, John Dennis wrote:
> Simo Sorce wrote:
> > On Thu, 2008-06-26 at 11:14 -0400, John Dennis wrote:
> >
> > > Nalin Dahyabhai wrote:
> > >
> > > > Would it be useful to also intercept the password used when a simple or
> > > > SASL/PLAIN bind requests succeed, and take the opportunity to generate
> > > > the hashes so that we can avoid forcing password changes?
> > > >
> > > >
> > > How do you plan to intercept the plain text password in IPA? We aren't
> > > in control of the services a user is likely to issue a SASL/PLAIN bind
> > > to are we?
> > >
> >
> > We control the LDAP server, that's the only SASL/PLAIN bind we care
> > about.
> >
> >
> Right, but when and in what context are users doing a plain bind to
> our LDAP server? Wouldn't this be very atypical?
This is a migration scenario, I see at least 2 ways:
a) some frontend (web?) app is built to proxy the user password to ldap
by performing a bind.
b) we provide a pam module smart enough to check the user status against
ldap if pam_kerb5 fails, and if it finds the user is in "upgrade" mode,
perform an (SSL protected) simple bind against the ldap server.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list