[Freeipa-users] Provision user accounts & groups from external IM
Simo Sorce
simo at redhat.com
Wed Jun 6 12:46:17 UTC 2012
On Wed, 2012-06-06 at 14:34 +0200, Willem Bos wrote:
> Hi Alexander,
>
>
> I did some experimenting with the example at
> http://adam.younglogic.com/2010/07/talking-to-freeipa-json-web-api-via-curl/ and am now able to create a user using the following as input to curl (-d @user_add.json) :
>
>
> {
> "method":"user_add",
> "params":[
> [],
> {
> "uid":"test",
> "givenname":"test",
> "sn":"test",
> "userpassword":"test"
> }
> ]
> }
>
>
> I'm left with two questions :
> - Is it possible to use a hashed password (as stored in the 'meta-IM')
> as a value for userpassword? And if so, will this propagate to the
> created Kerberos principal?
Nope, we need the clear text in order to generate the krb5 keys.
> - After creation, I'm forced to change the password when running
> `kinit test`. Is it possible to reset prevent the forced password
> change?
Yes, see: http://www.freeipa.org/page/PasswordSynchronization
> As a test, I tried to set the '-needchange' attribute using kadmin but
> that returned "... Insufficient access while modifying..."
This is not controlled by kadmin.
>
> I grepped the mailing list archives / API.txt / source code / etc. for
> clues but without success...
See above, it is really easy to create an agent with the right
permissions.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list