On 13.06.24 14:30, Rob Crittenden wrote:
Ronald Wimmer via FreeIPA-users wrote:
On 13.02.24 21:04, Ronald Wimmer via FreeIPA-users wrote:
On 13.02.24 18:54, Christian Heimes via FreeIPA-users wrote:
On 13/02/2024 18.03, Ronald Wimmer via FreeIPA-users wrote:
On 13.02.24 17:47, Rob Crittenden wrote:
I don't think it's possible to speculate without knowing your process.
This requires the cleartext password so assuming you create the staged
user then immediately active them, that would be the time to do the
bind. Otherwise you have to store cleartext passwords and that is a
recipe for disaster.
User is created by an external tool. User activation in IPA is done
by a script on one of the IPA servers periodically. Sadly, the
external tool cannot do an initial LDAP bind in order to create a
users's krb LDAP attributes. I am looking for a simple way these
properties are created.
Sure I could say a user has to SSH somewhere but why can't that
happen if a user tries to login to IPA's WebGUI and the krb
properties are missing? Or is there another option for users to
accomplish this?
Because the IPA WebUI uses the Kerberos extension S4U2Proxy under the
hood. It allows the WebUI to talk to the LDAP server on behalf of the
user. This feature require a proper Kerberos credentials. See
https://www.freeipa.org/page/V4/Service_Constraint_Delegation
I already mentioned the recommended option to archive this a while
ago. You may have missed the piece of information in this very long
thread. IPA servers have a special /ipa/migration route (e.g.
https://ipa.demo1.freeipa.org/ipa/migration/) for password migration.
Under the hood the endpoint just does an LDAP bind with username and
password. You can ask your users to either log into a machine with
ssh or go to the migration page.
I did indeed miss that vital information. It is more than sufficient
for our needs.
Thanks a lot guys. All scenarios that need to be working in our
environment do actually work now.
Did something change on the IPA side? Newly created users cannot login
to the WebGUI anymore. They get a "Your session has expired" error.
Might have to do with this thread:
https://lists.fedorahosted.org/archives/list/[email protected]/thread/YFPMHCWA7R47ZSI75EZKCMSWLH5QYH4P/?sort=date
You don't provide enough information to tell. Did you upgrade versions?
Per the link, do your users have SIDs?
I was asking in an unspecific way because I knew that you would have
some sort of suspicion...
You were absolutely right. The user does not have a SID. Which
information do you need in order to further investigate the problem?
Cheers
Ronald
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
