On 05/11/2014 01:27 PM, James wrote:
Hi #freeipa,
I'm working on improving my puppet-ipa module...
One area I'm working on is "better password management"...
In any case, here's the problem:
I want to give the script the ability to change it. The easy way to do
this is to compare what it is currently, to what it is set to. As I'm
assuming it's hashed, you have to compare hashes, IOW:
/usr/bin/test `hashed(somepass)` = `function_lookup_hash()`
This is scary.
This means that you expecting to have a hash being stored somewhere else
outside the DS.
Can you describe the workflow?
You want to be able to reset the admin password, right?
How do you bind? Using same admin password? Or keytab?
Assuming the admin password is stored as a deterministic hash, I need
two things:
1) To know how to run the hashing function manually (say from python)
2) To know how to lookup the stored hash manually (say from python)
Thanks to ab (#freeipa), I know how to set the admin password:
# split by the periods!
$domain_split = split("${valid_domain}", '\.')
# add dc= to each array element
$prefix = prefix($domain_split, 'dc=')
$suffix = join($prefix, ',') # eg: dc=example,dc=com
$socket_realm = regsubst("${valid_realm}", '\.', '-', 'G')
$ldapuri = "ldapi://%2fvar%2frun%2fslapd-${socket_realm}.socket"
$admin_password_change = "/usr/bin/ldappasswd -Y EXTERNAL -s `
${admin_password_exec}` -H ${ldapuri} uid=admin,cn=users,cn=accounts,
${suffix}"
I also have the same question for the DM password, however I don't yet
know how to set it. If someone has a script for that, I'd love that too!
Thanks again!
James
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
