Edward Valley via FreeIPA-users wrote: > So that's the way to go. Let me read some code and I'll be back with a > proposal. Is that ok or should I take it to another place? Thanks for > your time Rob.
Using this list is fine for now. If you file a PR the discussion will move there. rob > > 11:29, March 4, 2019, "Rob Crittenden via FreeIPA-users" > <[email protected]>: > > Edward Valley wrote: > > Thank you Rob. By extending ipa-pwd-extop are you sugesting that I > modify it (of course by submitting patches) or that I use it as > the base > for a new plugin? Is the later posible without interference? > Sorry if > it's a silly question, right now I really don't know nothing about > 389-ds plugin architecture. > > > I would probably be far easier to update the existing plugin, you'd just > want to do a lot of due diligence about memory handling, variable > re-use, etc (coverity and clang can be very helpful). > > rob > > > 10:58, March 4, 2019, "Rob Crittenden via FreeIPA-users" > <[email protected] > <mailto:[email protected]>>: > > Edward Valley via FreeIPA-users wrote: > > You're right, that's one of the options I've > considered and > tested, but > going that way I need to setup several things, use a > PAC file > in order > to Firefox and Chrome to work, take into account mobile > versions too, > configure browsers to trust the proxy's certificate, > optionally > install > a client certificate in browsers (which firefox for > Android > can't do) > and have the proxy to verify it, among other things > that would > require a > PKI infrastructure that I'm not willing to deploy (for > now). > Trust me, I > went through all of this, and it is secure enough, but > it has a few > pitfalls that right now (without coding) there is no > way to > solve. But, > don't you think kerberos authentication is a simpler > and secure > enough > approach? For now, I'm just trying to migrate to FreeIPA > (because it fit > my needs and I think it's a better and tightly integrated > solution) an > existing OpenLDAP backend, which already have the required > hashes and > the automated way for generating it every time users > change their > passwords. Thank you very much for your time. > > > To do this you'd need to write a 389-ds plugin to intercept > the password > change and write out the hash. You could probably extend the > ipa-pwd-extop plugin to do this as we do something similar > to keep the > userPassword and kerberos credentials in sync. > > You just need to be sensitive to security issues here. > Passwords are > available in the clear only in this plugin so any mistake could > potentially expose them. > > rob > > > 09:48, March 4, 2019, "Alexander Bokovoy via > FreeIPA-users" > <[email protected] > <mailto:[email protected]> > <mailto:[email protected] > <mailto:[email protected]>>>: > > On ma, 04 maalis 2019, Edward Valley via > FreeIPA-users wrote: > > Thanks for your answer. Doing it the way you > propose, > squid uses > basic > authentication, which exposes user names and > passwords > in the > network > because of the simple base64 encoding. > > Just set up your clients to use HTTPS proxy > connection in > the browser. > > > https://wiki.squid-cache.org/Features/HTTPS#Encrypted_browser-Squid_connection > talks about it. Both Chrome-based browsers and > Firefox do > work just fine > with HTTPS connection to the proxy for years now. > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland > _______________________________________________ > FreeIPA-users mailing list -- > [email protected] > <mailto:[email protected]> > <mailto:[email protected] > <mailto:[email protected]>> > <mailto:[email protected] > <mailto:[email protected]> > <mailto:[email protected] > <mailto:[email protected]>>> > To unsubscribe send an email to > [email protected] > <mailto:[email protected]> > <mailto:[email protected] > <mailto:[email protected]>> > <mailto:[email protected] > <mailto:[email protected]> > <mailto:[email protected] > <mailto:[email protected]>>> > Fedora Code of Conduct: > https://getfedora.org/code-of-conduct.html > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > > https://lists.fedorahosted.org/archives/list/[email protected] > > > > _______________________________________________ > FreeIPA-users mailing list -- > [email protected] > <mailto:[email protected]> > <mailto:[email protected] > <mailto:[email protected]>> > To unsubscribe send an email to > [email protected] > <mailto:[email protected]> > <mailto:[email protected] > <mailto:[email protected]>> > Fedora Code of Conduct: > https://getfedora.org/code-of-conduct.html > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > > https://lists.fedorahosted.org/archives/list/[email protected] > > _______________________________________________ > FreeIPA-users mailing list -- > [email protected] > <mailto:[email protected]> > <mailto:[email protected] > <mailto:[email protected]>> > To unsubscribe send an email to > [email protected] > <mailto:[email protected]> > <mailto:[email protected] > <mailto:[email protected]>> > Fedora Code of Conduct: > https://getfedora.org/code-of-conduct.html > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > > https://lists.fedorahosted.org/archives/list/[email protected] > > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > <mailto:[email protected]> > To unsubscribe send an email to > [email protected] > <mailto:[email protected]> > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > > https://lists.fedorahosted.org/archives/list/[email protected] > > > > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
