Hi Simo, I totally missed http://www.freeipa.org/page/PasswordSynchronization (and chapter 8.5.3 of the IPA guide :-) Thanks for pointing it out!
Regards, Willem. On Wed, Jun 6, 2012 at 2:46 PM, Simo Sorce <[email protected]> wrote: > On Wed, 2012-06-06 at 14:34 +0200, Willem Bos wrote: > > Hi Alexander, > > > > > > I did some experimenting with the example at > > > http://adam.younglogic.com/2010/07/talking-to-freeipa-json-web-api-via-curl/and > am now able to create a user using the following as input to curl (-d > @user_add.json) : > > > > > > { > > "method":"user_add", > > "params":[ > > [], > > { > > "uid":"test", > > "givenname":"test", > > "sn":"test", > > "userpassword":"test" > > } > > ] > > } > > > > > > I'm left with two questions : > > - Is it possible to use a hashed password (as stored in the 'meta-IM') > > as a value for userpassword? And if so, will this propagate to the > > created Kerberos principal? > > Nope, we need the clear text in order to generate the krb5 keys. > > > - After creation, I'm forced to change the password when running > > `kinit test`. Is it possible to reset prevent the forced password > > change? > > Yes, see: http://www.freeipa.org/page/PasswordSynchronization > > > As a test, I tried to set the '-needchange' attribute using kadmin but > > that returned "... Insufficient access while modifying..." > > This is not controlled by kadmin. > > > > I grepped the mailing list archives / API.txt / source code / etc. for > > clues but without success... > > See above, it is really easy to create an agent with the right > permissions. > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > >
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
