Martin Kosek wrote:
On Mon, 2012-06-11 at 10:36 +0200, Martin Kosek wrote:
On Thu, 2012-06-07 at 23:07 -0400, Simo Sorce wrote:
On Thu, 2012-06-07 at 22:28 -0400, Rob Crittenden wrote:
Martin Kosek wrote:
You can use the attached script ( to test the PW change
interface from command line (on IPA server).


IPA server web form-based authentication allows logins for users
which for some reason cannot use Kerberos authentication. However,
when a password for such users expires, they are unable change the
password via web interface.

This patch adds a new WSGI script attached to URL
/ipa/session/change_password which can be accessed without
authentication and which provides password change capability
for web services.

The actual password change in the script is processed with kpasswd
to be consistent with /ipa/session/login_password.

Password result is passed both in the resulting HTML page, but
also in HTTP headers for easier parsing in web services:
    X-IPA-Pwchange-Result: {ok, invalid-password, policy-error}
    (optional) X-IPA-Pwchange-Policy-Error: $policy_error_text

It is probably more efficient to change the password using ldap. Simo,
do you know of an advantage of using one over the other? Better password
policy reporting may be reason enough.

Yes you'll get better error reporting, plus forking out kpasswd is quite
ugly, the python ldap code should be able to use the ldap passwd extend
op quite easily.


Ok, sending a second version of the patch based on password change via
LDAP. The error reporting is indeed easier and with no hard-coded


This patch will only work with SELinux disabled, it seems there is a
regression in SELinux policy which does not allow httpd to connect to
dirsrv socket. I logged a Bug:

This issue also disables other pages using dirsrv socket, like the
migration page or password-expiration detection in form-based auth.


For '200 Success' you can use rpcserver.HTTP_STATUS_SUCCESS.

This works ok and does successfully change passwords but I don't like the logging very much. It should say that this is the password request URI somewhere at a minimum. Having the HTTP response is a bit strange too, and I don't know if a 400 should be logged as info.

I think this test program could be made into a test suite too, particularly to check the more esoteric parts like checking for missing options, too many options, etc.


Freeipa-devel mailing list

Reply via email to