Fwd: [Freeipa-users] Library to change expired password
Dan Scott
danieljamesscott at gmail.com
Fri Oct 30 22:16:52 UTC 2009
Sorry, forgot to copy everyone else in.
Dan
---------- Forwarded message ----------
From: Dan Scott <danieljamesscott at gmail.com>
Date: Fri, Oct 30, 2009 at 18:15
Subject: Re: [Freeipa-users] Library to change expired password
To: Rob Crittenden <rcritten at redhat.com>
Hi,
On Fri, Oct 30, 2009 at 17:42, Rob Crittenden <rcritten at redhat.com> wrote:
> Dan Scott wrote:
>>>
>>> This may not be too difficult to do in a web form (SSL protected, of
>>> course). You should be able to create a non-kerberos auth page that
>>> prompts
>>> for username, old and new password and a submit button. You could pass
>>> this
>>> onto a a simple backend that does an LDAP bind as the user with the old
>>> password then use ldap_passwd() to set the new password.
>>
>> Thanks. Do you have a particular language in mind for the
>> ldap_passwd() command? This sounds like a good way to go about it.
>> I've been looking at the ldappasswd command to figure out the correct
>> arguments, but this seems to require an SSL connection (Which is not
>> currently configured on my ipa server). This is strange, as ipa-passwd
>> and/or kpasswd don't appear to require SSL (maybe I'm wrong about
>> this). Anyway, is there a way to do this without using SSL?
>
> I'll respond in reverse.
>
> I don't believe the LDAP server will accept password changes over an
> unencrypted channel, so you either need to bind using GSSAPI or use SSL.
>
> We use forwarded tickets in XML-RPC so our LDAP connections don't use SSL,
> we do a GSSAPI bind which brings its own encryption. You will have to do a
> simple bind since you'll just have a username/password.
OK, that makes sense, thanks. But there's still one thing I don't
really understand. How do the ipa tools obtain a ticket for the RPC
when the password has expired? This is the fundamental problem that I
have. I can't obtain a ticket because the password has expired and I
can't change the password because I don't have a ticket! :)
> You can do it in whatever language you feel most comfortable with. You can
> write it as a CGI using perl, use mod_python, PHP, etc. All of these have
> some amount of LDAP support.
OK, thanks. The reason I'm asking is because I've looked through
most/all of these technologies and I can't find much/anything related
to changing expired passwords. Admittedly, when I was looking for
this, I was attempting to use Kerberos, not LDAP. But the problem
appears the same for LDAP password changing support.
Python seems to be the exception where there is a good kerberos
library (and I have played around with this, but my Python knowledge
is very poor.:) ). There doesn't appear to be a php-kerberos library
(Well, there is one for kadm, but not MIT kerberos). Java has Kerberos
support for the Login protocol via JAAS, but no support for changing
passwords. There's no java LDAP change password functionality, only
direct directory manipulation.
I'm not sure whether I'm trying to do something wrong, but it doesn't
seem like anyone else has had this problem before me. It seems very
strange that none of these technologies have good password change
support. Am I going about this the wrong way? :)
>> I might be making this all far too complicated. I have considered
>> using JNI to wrap a c kerberos library. Does this sound like a
>> reasonable idea?
>
> I'm pretty sure Java supports kerberos natively. It can also speak LDAP
> natively.
Sure, it does, primarily for login functionality. But support for
password changes does not appear to exist without client side hashing
and direct directory manipulation.
Thanks for your responses, they're very useful.
Dan
More information about the Freeipa-users
mailing list