On 05/12/2014 03:43 AM, Alexander Bokovoy wrote:
On Mon, 12 May 2014, Martin Kosek wrote:
On 05/12/2014 03:47 AM, James wrote:
On Sun, May 11, 2014 at 9:02 PM, Dmitri Pal <d...@redhat.com> wrote:
On 05/11/2014 06:31 PM, James wrote:

On Sun, May 11, 2014 at 3:04 PM, Dmitri Pal <d...@redhat.com> wrote:

This is scary.
This means that you expecting to have a hash being stored somewhere else
outside the DS.

Haha, I agree! Actually, worse! I will have the plain text password
stored somewhere outside the DS! Let me give you more background:

I think this is an atrociously bad idea. However *everybody* stores
password credentials poorly in puppet. So in order to do it properly,
I've gone to great lengths to support something smarter for
puppet-ipa. Most of the code is already done.

Which module do you want me to look at?
I am not going to review your whole project :-)
I just posted it for fun. I wasn't looking for a review, though!
The technique is rather complicated, so I'm going to save it for a
longer blog post write up when it's finished.


You'll be very pleased to know it doesn't do anything bad! BUT: I am
still going to support the "bad method" of storing the actual password
in puppet. Sad, but still used. So I do need to know how to do this
bad thing, but if you look at my code, you'll see I'm doing something
clever. Once it's all done and tested, I'll blog about it and announce
the technique publicly.

Can you describe the workflow?
You want to be able to reset the admin password, right?
How do you bind? Using same admin password? Or keytab?

I don't bind. I'm running as root on the free-ipa server.

But to do an LDAP operation you still need to connect to LDAP. You can use LDAPI in this case but then you do not need to authentocate at all, I think in this case you should be able to overwrite the password without knowing
the old one.

I do not think we should promote bad and insecure practices around the
security product. That defeats the purpose. I strongle suggest avoiding saving any password and resetting the existing password using local root. I
think it is possible. If not we need to think about the proper way of
solving your use case.
Agreed. Which is why I posted the feature branch early, to hopefully
convince the ipa community that I'm going about the password stuff the
"right way".

Anyways, back to the question:
What commands can I use to look up the hash, and compute the hash? (Or
simply test if a string password matches the stored password.)

Same questions for the DM password.


I sense some very black magic happening in this thread...

I do not see any reason for storing the password or hash of the password
outside of FreeIPA. As you said, you have a local root access to IPA machine,
you can then bind as Directory Manager and see or change any password.

1) Get fbar1;s b64 encoded password hash:

# ldapsearch -Y EXTERNAL -H ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket -b
'uid=fbar1,cn=users,cn=accounts,dc=example,dc=com' userPassword

2) Forcefully change fbar1's password:

# ldapsearch -Y EXTERNAL -H ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket
'uid=fbar1,cn=users,cn=accounts,dc=example,dc=com' -s newpassword

Note that the user fbar1 will not be prompted for the new password as the password was changed by DM. As Dmitri wrote, a safer and a better approach would be to have the script run as a special/system user with appropriate privilege, authenticated with a keytab. Such user could then just call "ipa
passwd" FreeIPA command.
I think the point here is that puppet-ipa module is run by puppet under
root account already, so ldappasswd using ldapi with external auth under root
is enough. Introducing another user when you are already root seems to
be a bit overbloat in puppet's case.

Yes and this was my point too. If you have root you do not need to know the old password. You can just reset the current one to what you want.

Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

Freeipa-devel mailing list

Reply via email to