[Freeipa-devel] Consistent password hashing and lookups
Dmitri Pal
dpal at redhat.com
Sun May 11 19:04:00 UTC 2014
On 05/11/2014 01:27 PM, James wrote:
> Hi #freeipa,
>
> I'm working on improving my puppet-ipa module...
> One area I'm working on is "better password management"...
>
> In any case, here's the problem:
>
> I want to give the script the ability to change it. The easy way to do
> this is to compare what it is currently, to what it is set to. As I'm
> assuming it's hashed, you have to compare hashes, IOW:
>
> /usr/bin/test `hashed(somepass)` = `function_lookup_hash()`
This is scary.
This means that you expecting to have a hash being stored somewhere else
outside the DS.
Can you describe the workflow?
You want to be able to reset the admin password, right?
How do you bind? Using same admin password? Or keytab?
>
> Assuming the admin password is stored as a deterministic hash, I need
> two things:
>
> 1) To know how to run the hashing function manually (say from python)
> 2) To know how to lookup the stored hash manually (say from python)
>
> Thanks to ab (#freeipa), I know how to set the admin password:
>
> # split by the periods!
> $domain_split = split("${valid_domain}", '\.')
>
> # add dc= to each array element
> $prefix = prefix($domain_split, 'dc=')
> $suffix = join($prefix, ',') # eg: dc=example,dc=com
>
> $socket_realm = regsubst("${valid_realm}", '\.', '-', 'G')
> $ldapuri = "ldapi://%2fvar%2frun%2fslapd-${socket_realm}.socket"
>
> $admin_password_change = "/usr/bin/ldappasswd -Y EXTERNAL -s `
> ${admin_password_exec}` -H ${ldapuri} uid=admin,cn=users,cn=accounts,
> ${suffix}"
>
> I also have the same question for the DM password, however I don't yet
> know how to set it. If someone has a script for that, I'd love that too!
>
> Thanks again!
> James
>
>
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140511/ddcc948e/attachment.htm>
More information about the Freeipa-devel
mailing list