On 05/12/2014 03:47 AM, James wrote: > On Sun, May 11, 2014 at 9:02 PM, Dmitri Pal <d...@redhat.com> wrote: >> On 05/11/2014 06:31 PM, James wrote: >>> >>> On Sun, May 11, 2014 at 3:04 PM, Dmitri Pal <d...@redhat.com> wrote: >>>> >>>> This is scary. >>>> This means that you expecting to have a hash being stored somewhere else >>>> outside the DS. >>> >>> Haha, I agree! Actually, worse! I will have the plain text password >>> stored somewhere outside the DS! Let me give you more background: >>> >>> I think this is an atrociously bad idea. However *everybody* stores >>> password credentials poorly in puppet. So in order to do it properly, >>> I've gone to great lengths to support something smarter for >>> puppet-ipa. Most of the code is already done. >>> >> >> Which module do you want me to look at? >> I am not going to review your whole project :-) > I just posted it for fun. I wasn't looking for a review, though! > The technique is rather complicated, so I'm going to save it for a > longer blog post write up when it's finished. > >> >> >>> https://github.com/purpleidea/puppet-ipa/tree/feat/better-pw >>> >>> You'll be very pleased to know it doesn't do anything bad! BUT: I am >>> still going to support the "bad method" of storing the actual password >>> in puppet. Sad, but still used. So I do need to know how to do this >>> bad thing, but if you look at my code, you'll see I'm doing something >>> clever. Once it's all done and tested, I'll blog about it and announce >>> the technique publicly. >>> >>>> Can you describe the workflow? >>>> You want to be able to reset the admin password, right? >>>> How do you bind? Using same admin password? Or keytab? >>> >>> I don't bind. I'm running as root on the free-ipa server. >> >> But to do an LDAP operation you still need to connect to LDAP. You can use >> LDAPI in this case but then you do not need to authentocate at all, I think >> in this case you should be able to overwrite the password without knowing >> the old one. >> >> I do not think we should promote bad and insecure practices around the >> security product. That defeats the purpose. I strongle suggest avoiding >> saving any password and resetting the existing password using local root. I >> think it is possible. If not we need to think about the proper way of >> solving your use case. > Agreed. Which is why I posted the feature branch early, to hopefully > convince the ipa community that I'm going about the password stuff the > "right way". > > Anyways, back to the question: > What commands can I use to look up the hash, and compute the hash? (Or > simply test if a string password matches the stored password.) > > Same questions for the DM password. > > Thanks!
I sense some very black magic happening in this thread... I do not see any reason for storing the password or hash of the password outside of FreeIPA. As you said, you have a local root access to IPA machine, you can then bind as Directory Manager and see or change any password. 1) Get fbar1;s b64 encoded password hash: # ldapsearch -Y EXTERNAL -H ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket -b 'uid=fbar1,cn=users,cn=accounts,dc=example,dc=com' userPassword 2) Forcefully change fbar1's password: # ldapsearch -Y EXTERNAL -H ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket 'uid=fbar1,cn=users,cn=accounts,dc=example,dc=com' -s newpassword Note that the user fbar1 will not be prompted for the new password as the password was changed by DM. As Dmitri wrote, a safer and a better approach would be to have the script run as a special/system user with appropriate privilege, authenticated with a keytab. Such user could then just call "ipa passwd" FreeIPA command. If you are interested in resetting DM password, you can check: https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Installation_Guide/Installation_Guide-Common_Usage-Resetting_Passwords.html and http://www.freeipa.org/page/Howto/Change_Directory_Manager_Password Martin _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
