[Freeipa-users] Library to change expired password

Rob Crittenden rcritten at redhat.com
Fri Oct 30 21:42:45 UTC 2009 

Dan Scott wrote:
>> This may not be too difficult to do in a web form (SSL protected, of
>> course). You should be able to create a non-kerberos auth page that prompts
>> for username, old and new password and a submit button. You could pass this
>> onto a a simple backend that does an LDAP bind as the user with the old
>> password then use ldap_passwd() to set the new password.
> 
> Thanks. Do you have a particular language in mind for the
> ldap_passwd() command? This sounds like a good way to go about it.
> I've been looking at the ldappasswd command to figure out the correct
> arguments, but this seems to require an SSL connection (Which is not
> currently configured on my ipa server). This is strange, as ipa-passwd
> and/or kpasswd don't appear to require SSL (maybe I'm wrong about
> this). Anyway, is there a way to do this without using SSL?

I'll respond in reverse.

I don't believe the LDAP server will accept password changes over an 
unencrypted channel, so you either need to bind using GSSAPI or use SSL.

We use forwarded tickets in XML-RPC so our LDAP connections don't use 
SSL, we do a GSSAPI bind which brings its own encryption. You will have 
to do a simple bind since you'll just have a username/password.

We configure SSL for the LDAP server so as long as you trust the IPA CA 
you can do an SSL connection.

You can do it in whatever language you feel most comfortable with. You 
can write it as a CGI using perl, use mod_python, PHP, etc. All of these 
have some amount of LDAP support.

> 
> I might be making this all far too complicated. I have considered
> using JNI to wrap a c kerberos library. Does this sound like a
> reasonable idea?

I'm pretty sure Java supports kerberos natively. It can also speak LDAP 
natively.

>>>> Is there any documentation on the FreeIPA XMLRPC which I can read? I
>>>> have the API, but no more. I had to dig into the apache configuration
>>>> to find the domain path context (/xml/ipa).
>> Yes, just the API is documented, there aren't any programming examples other
>> than the code itself AFAIK.
>>
>> One thing you can do is add the -v option to the ipa command-line tools to
>> see the XML-RPC request/response. That might help.
> 
> Thanks for that tip. It's useful to see the RPCs. Just to confirm,
> there's no way to perform the 'un-authenticated' XML RPC to change a
> password, even if the expired password is supplied in the call?

Right, no unauthenticated access. We let Apache's mod_auth_kerb module 
handle authentication for us and expect a ticket in the entry point. 
Even if you configured it to not require a ticket things would very 
likely blow up. That said, you can probably look at ipaldap.py for 
inspiration on how to do the password change in python (if you choose to 
go that route).

> 
> Thanks,
> 
> Dan Scott
> http://danieljamesscott.org


rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20091030/945ab1a3/attachment.bin>

More information about the Freeipa-users mailing list