Edward Valley wrote: > Thank you Rob. By extending ipa-pwd-extop are you sugesting that I > modify it (of course by submitting patches) or that I use it as the base > for a new plugin? Is the later posible without interference? Sorry if > it's a silly question, right now I really don't know nothing about > 389-ds plugin architecture.
I would probably be far easier to update the existing plugin, you'd just want to do a lot of due diligence about memory handling, variable re-use, etc (coverity and clang can be very helpful). rob > > 10:58, March 4, 2019, "Rob Crittenden via FreeIPA-users" > <[email protected]>: > > Edward Valley via FreeIPA-users wrote: > > You're right, that's one of the options I've considered and > tested, but > going that way I need to setup several things, use a PAC file > in order > to Firefox and Chrome to work, take into account mobile > versions too, > configure browsers to trust the proxy's certificate, optionally > install > a client certificate in browsers (which firefox for Android > can't do) > and have the proxy to verify it, among other things that would > require a > PKI infrastructure that I'm not willing to deploy (for now). > Trust me, I > went through all of this, and it is secure enough, but it has a few > pitfalls that right now (without coding) there is no way to > solve. But, > don't you think kerberos authentication is a simpler and secure > enough > approach? For now, I'm just trying to migrate to FreeIPA > (because it fit > my needs and I think it's a better and tightly integrated > solution) an > existing OpenLDAP backend, which already have the required > hashes and > the automated way for generating it every time users change their > passwords. Thank you very much for your time. > > > To do this you'd need to write a 389-ds plugin to intercept the password > change and write out the hash. You could probably extend the > ipa-pwd-extop plugin to do this as we do something similar to keep the > userPassword and kerberos credentials in sync. > > You just need to be sensitive to security issues here. Passwords are > available in the clear only in this plugin so any mistake could > potentially expose them. > > rob > > > 09:48, March 4, 2019, "Alexander Bokovoy via FreeIPA-users" > <[email protected] > <mailto:[email protected]>>: > > On ma, 04 maalis 2019, Edward Valley via FreeIPA-users wrote: > > Thanks for your answer. Doing it the way you propose, > squid uses > basic > authentication, which exposes user names and passwords > in the > network > because of the simple base64 encoding. > > Just set up your clients to use HTTPS proxy connection in > the browser. > > > https://wiki.squid-cache.org/Features/HTTPS#Encrypted_browser-Squid_connection > talks about it. Both Chrome-based browsers and Firefox do > work just fine > with HTTPS connection to the proxy for years now. > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland > _______________________________________________ > FreeIPA-users mailing list -- > [email protected] > <mailto:[email protected]> > <mailto:[email protected] > <mailto:[email protected]>> > To unsubscribe send an email to > [email protected] > <mailto:[email protected]> > <mailto:[email protected] > <mailto:[email protected]>> > Fedora Code of Conduct: > https://getfedora.org/code-of-conduct.html > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > > https://lists.fedorahosted.org/archives/list/[email protected] > > > > _______________________________________________ > FreeIPA-users mailing list -- > [email protected] > <mailto:[email protected]> > To unsubscribe send an email to > [email protected] > <mailto:[email protected]> > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > > https://lists.fedorahosted.org/archives/list/[email protected] > > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > <mailto:[email protected]> > To unsubscribe send an email to > [email protected] > <mailto:[email protected]> > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > > https://lists.fedorahosted.org/archives/list/[email protected] > _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
