On Tue, 2009-11-03 at 16:31 -0500, Dan Scott wrote: > Sorry again, forgot to CC the mailing list. > > Dan > > On Tue, Nov 3, 2009 at 16:10, Dan Scott <[email protected]> wrote: > > Hi, > > > > On Mon, Nov 2, 2009 at 07:33, Simo Sorce <[email protected]> wrote: > >> On Sun, 2009-11-01 at 22:26 -0500, Dan Scott wrote: > >>> On Sat, Oct 31, 2009 at 12:50, Simo Sorce <[email protected]> wrote: > >>> > On Fri, 2009-10-30 at 18:16 -0400, Dan Scott wrote: > >>> >> OK, that makes sense, thanks. But there's still one thing I don't > >>> >> really understand. How do the ipa tools obtain a ticket for the RPC > >>> >> when the password has expired? > >>> > > >>> > They don't, password change is done via kpasswd (or direct connection to > >>> > ldap and ldappasswd operation). > >>> > >>> So kpasswd can alter the LDAP directory without a ticket? > >> > >> kpasswd can take a ticket for kadmin/chang...@realm > > > > So is that a 'special' ticket, which can be obtained with an expired > > password? Which can then be used to change the user's password?
Pretty much. > >>> Let me check to see if I've got this straight. There are no IPA > >>> specific tools for changing an expired password? > >> > >> Admin can always reset other users passwords, but they will be expired. > > > > Well sure, :) but changing a users expired password for another > > expired password doesn't really help. I meant more along the lines > > that there are no IPA specific tools which allow a non-admin user to > > change their own expired password. Yes the tool is called "kpasswd" :) Or if you have properly configured (and it should if you use ipa-client-install) you should also be able to use the normal "passwd" command and perform the password change through the pam password stack. > >>> The only way that I can see at the moment is to 'manually' alter the > >>> LDAP directory. i.e. Hash the password myself and insert it into the > >>> database. Could someone point me in the right direction for the cn and > >>> hashing algorithm I need to use? > >> > >> No prehashed password are refused, we need the clear text password to be > >> able to create the kerberos keys. > >> The best way is to use the ldappasswd extended operation, although > >> probably writing the clear text password to userPassword should also > >> work. > > > > OK, thanks. I've located a Java library which implements the correct > > LDAP extended operations. I can change a non-expired password with no > > problem, but I still can't change an expired password. I am using: > > > > http://www.unboundid.com/products/ldapsdk/ > > > > and I am attempting to bind to the LDAP directory using SimpleBindRequest > > > > http://www.unboundid.com/products/ldapsdk/docs/javadoc/com/unboundid/ldap/sdk/SimpleBindRequest.html > > > > This works fine for changing currently valid passwords, but I receive > > "LDAPException :invalid credentials" when attempting to bind using an > > expired password. Do I need to use a different bind type? There are > > several available: ANONYMOUSBindRequest, CRAMMD5BindRequest, > > DIGESTMD5BindRequest, EXTERNALBindRequest, GSSAPIBindRequest, > > PLAINBindRequest, SASLBindRequest. I assume that anonymous won't work. > > Maybe I need to request the kadmin/changepw ticket requested above > > using Kerberos and use this to bind to LDAP? > > > > Is there any documentation related to all this? Anything would be > > great but if there's anything related to the way it works in FreeIPA > > that would be even better. I've been searching high and low and I'm > > not really having much luck. > > What have you used so far ? Simple auth ? Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
