[Freeipa-devel] Consistent password hashing and lookups
James
purpleidea at gmail.com
Sun May 11 22:31:12 UTC 2014
On Sun, May 11, 2014 at 3:04 PM, Dmitri Pal <dpal at redhat.com> wrote:
>
> This is scary.
> This means that you expecting to have a hash being stored somewhere else
> outside the DS.
Haha, I agree! Actually, worse! I will have the plain text password
stored somewhere outside the DS! Let me give you more background:
I think this is an atrociously bad idea. However *everybody* stores
password credentials poorly in puppet. So in order to do it properly,
I've gone to great lengths to support something smarter for
puppet-ipa. Most of the code is already done.
https://github.com/purpleidea/puppet-ipa/tree/feat/better-pw
You'll be very pleased to know it doesn't do anything bad! BUT: I am
still going to support the "bad method" of storing the actual password
in puppet. Sad, but still used. So I do need to know how to do this
bad thing, but if you look at my code, you'll see I'm doing something
clever. Once it's all done and tested, I'll blog about it and announce
the technique publicly.
>
> Can you describe the workflow?
> You want to be able to reset the admin password, right?
> How do you bind? Using same admin password? Or keytab?
I don't bind. I'm running as root on the free-ipa server.
More information about the Freeipa-devel
mailing list