[Freeipa-users] Advice on hosting reset_password in jboss instance

Alexander Bokovoy abokovoy at redhat.com
Wed Mar 5 15:15:20 UTC 2014 

On Wed, 05 Mar 2014, Mcadams, Shaun wrote:
>We use ipa on our red hat boxes and have recently installed a SAS
>suite/servers for a contract.  Their users are a mix of
>internal/external associates.  Integrating with this ipa was
>straight-forward.  Their application is able to use pam, but their
>logon manager is limited as it does not support ids that have expired
>or need reset.  For security reason, some which are IDM UI related, we
>cannot expose the web app for those users to reset their passwords.  So
>investigating a little bit, we found a few options but I wanted to
>solicit any feedback for anyone who has been there done that.
>
>
>
>We have the process working via the /ipa/session/change_password via a
>python script which we could form feed.  At the same time I see that
>there is already a reset_password form, javascript created.  So I don't
>know that this is even necessary.  However, I have found that hosting
>those in a web server isn't working and one person believes that could
>be related to the wrong ldap hostname.
>
>
>
>Anyway just wanted to see if anyone has faced this before. Thanks.
Remember that passwords are managed in LDAP and integrated with
Kerberos. This gives you few other options than what is described above:

- use kpasswd to perform password change directly against KDC
   +: can be scripted easily
   +: requires no setup additional privileges in IPA
   -: cannot be used when password is forgotten

- use LDAP password change operation, through ldappasswd
   +: can be scripted easily
   +: requires no setup with additional privileges
   -: cannot be used when password is forgotten

For cases, when password is forgotten, admin has to reset user's
password through
   ipa passwd <user>
command line interface and then user can use any of the above to change
password.

All options above are scriptable since all tools accept passwords over
standard input or through a file.

If you want to build web application to reset passwords, then you need
to understand how conditional delegation works in IPA. As your
application works on user's behalf against IPA with Kerberos
credentials, it needs to be explicitly allowed to delegate user's
credentials. For doing that read my article at
https://vda.li/en/posts/2013/07/29/Setting-up-S4U2Proxy-with-FreeIPA/index.html

-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list