[Freeipa-users] External Self Help Suggestions.

Tue May 19 22:38:54 UTC 2015

On 05/14/2015 07:09 PM, William Graboyes wrote:
> Hi Dmitri,
>
> No I am sticking to the 90 day, gotta start the change in the right direction somewhere :).
>
> So I am trying out LBT Self service password, and I am wondering if there is documentation anywhere on how to create a service style account that has the ability to change a password without forcing the user to reset thier password on next login.  This would be for if a user forgets thier password and uses a mail token style auth.
Sorry for a delay
I know there is a way to create such an account.
It is not exposed in the UI
Here is the ticket to do it in UI/CLI 
https://fedorahosted.org/freeipa/ticket/2801
But I do not remember the procedure of top of my head.
It might be found in the archives as it was explained couple times in 
the past.

>
> Thanks,
> Bill
> On 5/13/15 5:28 PM, Dmitri Pal wrote:
>> On 05/13/2015 08:18 PM, William Graboyes wrote:
>>> Hi Dmitri,
>>>
>>> That is quite a bucket of stuff... On the CA-less install, basically I
>>> don't want to have my users change their passwords again (they are
>>> complaining about the every 90 day password rotation policy), we do
>>> not have an internal CA, most of our "desk top support" folks don't
>>> even have access to all of the desktops in the place.  Like I said
>>> this place is mind bending when it comes to standard practices.  The
>>> CA-less would be good if it were possible to make that change in
>>> place, or make the change by standing up a new IPA server and having
>>> the ability to import the current data set.
>>>
>>> I was looking at PWM, and may try to get that implemented.
>> Another option is to reset expiration time in the user entry and set it
>> some date close to 2038 which is the end of the 32-bit time.
>> If the problem is 90 day policy you can just change the policy to be
>> 5000 days and then next time people change password they would not be
>> bother for another 5000 days or so (make sure it does not roll over).
>> For people that already have 90 days in their entry you can run a script
>> once and move the date into the future.
>>
>> People have done it for the same reason and in the same way.
>>
>>> Thanks,
>>> Bill
>>>
>>> On 5/13/15 5:00 PM, Dmitri Pal wrote:
>>>> On 05/13/2015 07:40 PM, William Graboyes wrote:
>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>> Hash: SHA512
>>>>>
>>>>> Hi List,
>>>>>
>>>>> I am trying to figure out a method of allowing users who do not have
>>>>> shell access to change their own passwords.  The GUI that comes with
>>>>> FreeIPA is out of the question due to the untrusted CA (yes I know we
>>>>> are a strange shop, there is nothing I can do about it, and you would
>>>>> want to gouge you eyes out if I told you the full story) becoming a
>>>>> "Bad habit forming" method of changing one's password.  I have been
>>>>> looking around for about a week now, and am somewhat lost and
>>>>> perplexed. The old documentation for FreeIPA basically says that it is
>>>>> not a good idea to manipulate the password directly in LDAP (and even
>>>>> then finding what hash is being used has been next to impossible).
>>>>>
>>>>> So the question is this, does anyone know of any tools out there that
>>>>> can happily, or even with some modification, allow me to set up a
>>>>> trusted external ssl site that allows users to change their passwords.
>>>> There is no external password reset self service in IPA yet. We will be
>>>> starting to look into this effort during summer.
>>>> Take a look at the bucket of tickets in the "FreeIPA Community Portal
>>>> Release" here https://fedorahosted.org/freeipa/report/3.
>>>>
>>>> What prevents you from making IPA trusted? You can chain IPA to your CA
>>>> or use it CA-less with certs from your own CA.
>>>> Then UI would be an option I assume.
>>>>
>>>> Other option is https://code.google.com/p/pwm/
>>>>
>>>>> Thanks,
>>>>> Bill
>>>>> -----BEGIN PGP SIGNATURE-----
>>>>> Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
>>>>> Comment: GPGTools - https://gpgtools.org
>>>>>
>>>>> iQIcBAEBCgAGBQJVU+DdAAoJEJFMz73A1+zryTIP/1dLBYfMwSNkvICW8PToUkD6
>>>>> MCQQt+yGblI2gqZiVm2NCHD4Lto4sDUJSdnQF++kcuCTd0u4P5twFR/LejIAa/Jc
>>>>> bKCO7XSmfBEh/+ArVeUBSsoBec2V0h6x3i98mChD55DzuRJj4HiIxGgM1KdeAgaV
>>>>> UdwI9wQEKOUCyHZyDVdEk/g+X1QMnNBPUXhdEiHtAkbqkxSan01iw2k1mGjfIOWU
>>>>> NfOThdj7K9vE18YIKuJ7L/uztvNyAaj+ZsR1uKayYxlpgMalUJDHW1u3gX2MPELm
>>>>> zpDWVj7mR0iZ78AJlSG0J7+ughBMq5jarlzdCYTHmFqe0dszmafDAdxIBKmWw+IW
>>>>> /BXIMDTR/CjoPW4D65fewEcqIVrODDft6GNDg7aYa0dF8eiOjQM3wNUVjmgBESBK
>>>>> ztcGuFID+bl96+GABuSo9OFS36/dKskhGK125gvpEgU8pWM4+POQDtWlHjFHw5Ml
>>>>> 1ZCZHxrQOp/drolh50uMTl6QrZSKt0U3Kikw+zzj5itAEtbhVrnfw7nvJHlhPsy/
>>>>> 7CG2WMv/iwXzif+ogSN6ClkOxSTqHftS2BW9uMP7meLNK0tRiCtTVSXSXIizTR96
>>>>> ZbCb9zbETfHYj2KE3nLeKAeycaN15+8NK1YgVYEh+ZqbsgdFgD6src6X/NP3v3dX
>>>>> kzyr3+tqYdDbgibcYyhd
>>>>> =5KCr
>>>>> -----END PGP SIGNATURE-----
>>>>>
>>

-- 
Thank you,
Dmitri Pal

Director of Engineering for IdM portfolio
Red Hat, Inc.