Sorry again, forgot to CC the mailing list. Dan
On Tue, Nov 3, 2009 at 16:10, Dan Scott <[email protected]> wrote: > Hi, > > On Mon, Nov 2, 2009 at 07:33, Simo Sorce <[email protected]> wrote: >> On Sun, 2009-11-01 at 22:26 -0500, Dan Scott wrote: >>> On Sat, Oct 31, 2009 at 12:50, Simo Sorce <[email protected]> wrote: >>> > On Fri, 2009-10-30 at 18:16 -0400, Dan Scott wrote: >>> >> OK, that makes sense, thanks. But there's still one thing I don't >>> >> really understand. How do the ipa tools obtain a ticket for the RPC >>> >> when the password has expired? >>> > >>> > They don't, password change is done via kpasswd (or direct connection to >>> > ldap and ldappasswd operation). >>> >>> So kpasswd can alter the LDAP directory without a ticket? >> >> kpasswd can take a ticket for kadmin/chang...@realm > > So is that a 'special' ticket, which can be obtained with an expired > password? Which can then be used to change the user's password? > >>> Let me check to see if I've got this straight. There are no IPA >>> specific tools for changing an expired password? >> >> Admin can always reset other users passwords, but they will be expired. > > Well sure, :) but changing a users expired password for another > expired password doesn't really help. I meant more along the lines > that there are no IPA specific tools which allow a non-admin user to > change their own expired password. > >>> The only way that I can see at the moment is to 'manually' alter the >>> LDAP directory. i.e. Hash the password myself and insert it into the >>> database. Could someone point me in the right direction for the cn and >>> hashing algorithm I need to use? >> >> No prehashed password are refused, we need the clear text password to be >> able to create the kerberos keys. >> The best way is to use the ldappasswd extended operation, although >> probably writing the clear text password to userPassword should also >> work. > > OK, thanks. I've located a Java library which implements the correct > LDAP extended operations. I can change a non-expired password with no > problem, but I still can't change an expired password. I am using: > > http://www.unboundid.com/products/ldapsdk/ > > and I am attempting to bind to the LDAP directory using SimpleBindRequest > > http://www.unboundid.com/products/ldapsdk/docs/javadoc/com/unboundid/ldap/sdk/SimpleBindRequest.html > > This works fine for changing currently valid passwords, but I receive > "LDAPException :invalid credentials" when attempting to bind using an > expired password. Do I need to use a different bind type? There are > several available: ANONYMOUSBindRequest, CRAMMD5BindRequest, > DIGESTMD5BindRequest, EXTERNALBindRequest, GSSAPIBindRequest, > PLAINBindRequest, SASLBindRequest. I assume that anonymous won't work. > Maybe I need to request the kadmin/changepw ticket requested above > using Kerberos and use this to bind to LDAP? > > Is there any documentation related to all this? Anything would be > great but if there's anything related to the way it works in FreeIPA > that would be even better. I've been searching high and low and I'm > not really having much luck. > > Thanks, > > Dan > _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
