[Freeipa-users] How to implement password expiration notifications?
Eivind Olsen
eivind at aminor.no
Wed Jun 8 13:17:28 UTC 2016
Den 2016-06-08 14:00, skrev Alexander Bokovoy:
> Make a service (ipa service-add), download a keytab with the key for
> this service and use gss-proxy to provide refreshing credentials based
> on the keytab to a script that runs periodically.
Hm. I like that idea, now I just need to actually make it work here :)
I have done:
ipa service-add PWDREMIND/script.host.fqdn
ipa-getkeytab -s script.host.fqdn -k /etc/gssproxy/pwdremind.keytab -p
PWDREMIND/script.host.fqdn
...and I have a file /etc/gssproxy/pwdremind.keytab
I added a section to /etc/gssproxy/gssproxy.conf :
[service/PWDREMIND]
mechs = krb5
cred_store = keytab:/etc/gssproxy/pwdremind.keytab
cred_store = ccache:/var/lib/gssproxy/clients/krb5cc_%U
euid = 0
I guess I could run the password reminder script as another user in cron
and change the euid line above accordingly.
Now I guess the next step is figuring out how to tell "ldapsearch" to
work with gssproxy (unless I've made some other glaring mistake
already).
Regards
Eivind Olsen
More information about the Freeipa-users
mailing list