[Freeipa-users] Library to change expired password

[Sumit Bose]

On Thu, Oct 29, 2009 at 10:54:01PM -0600, Jason Gerard DeRose wrote:
> On Thu, 2009-10-29 at 17:56 -0400, Dan Scott wrote:
> > Hi,
> > 
> > I'm trying to integrate FreeIPA with a Java webapp using JAAS. I have
> > the login module configured properly and it is working fine.
> > 
> > However, I have a problem with the initial user setup. New accounts
> > are created with expired passwords for good reason. However, I would
> > like a way to for a user to change their expired kerberos password
> > which does not use the command line. e.g. an SSL web form.
> > 
> > On searching the web, there does not appear to be a (free) java
> > library which implements the same functionality as ipa-passwd, kinit
> > or ssh for changing expired passwords. Does anyone know if such a
> > thing exists? The IPA documentation indicates that ssh has an option
> > 'challenge-response' for changing expired passwords. I would like the
> > same functionality on a web page.
> 
> Yes, you raise a good point and we obviously need a way to do this via
> the web UI.
> 
> Rob, if a user's password is expired, how does the password change work?
> Does the user still do a Kerberos auth with the old password, or do we
> need a non-Kerberos protected web page through which to update the
> password?
> 
> Either way, this will be a simple thing to add to the UI.
> 

If the password is expired you get KRB5KDC_ERR_KEY_EXP when requesting a
TGT. Please note that you will always get this response not matter if
the password matches the old password or not. You can then request a
password change ticket, principle: kadmin/changepw, with tho old
password and run the password change with this ticket.

I would expect that you cannot use a kerberos protected page, because
you do not have a TGT and cannot request a service ticket for the web
server.

bye,
Sumit