Ronald Wimmer wrote: > On 13.06.24 14:30, Rob Crittenden wrote: >> Ronald Wimmer via FreeIPA-users wrote: >>> On 13.02.24 21:04, Ronald Wimmer via FreeIPA-users wrote: >>>> On 13.02.24 18:54, Christian Heimes via FreeIPA-users wrote: >>>>> On 13/02/2024 18.03, Ronald Wimmer via FreeIPA-users wrote: >>>>>> On 13.02.24 17:47, Rob Crittenden wrote: >>>>>>> >>>>>>> I don't think it's possible to speculate without knowing your >>>>>>> process. >>>>>>> >>>>>>> This requires the cleartext password so assuming you create the >>>>>>> staged >>>>>>> user then immediately active them, that would be the time to do the >>>>>>> bind. Otherwise you have to store cleartext passwords and that is a >>>>>>> recipe for disaster. >>>>>> >>>>>> User is created by an external tool. User activation in IPA is done >>>>>> by a script on one of the IPA servers periodically. Sadly, the >>>>>> external tool cannot do an initial LDAP bind in order to create a >>>>>> users's krb LDAP attributes. I am looking for a simple way these >>>>>> properties are created. >>>>>> >>>>>> Sure I could say a user has to SSH somewhere but why can't that >>>>>> happen if a user tries to login to IPA's WebGUI and the krb >>>>>> properties are missing? Or is there another option for users to >>>>>> accomplish this? >>>>> >>>>> Because the IPA WebUI uses the Kerberos extension S4U2Proxy under the >>>>> hood. It allows the WebUI to talk to the LDAP server on behalf of the >>>>> user. This feature require a proper Kerberos credentials. See >>>>> https://www.freeipa.org/page/V4/Service_Constraint_Delegation >>>>> >>>>> I already mentioned the recommended option to archive this a while >>>>> ago. You may have missed the piece of information in this very long >>>>> thread. IPA servers have a special /ipa/migration route (e.g. >>>>> https://ipa.demo1.freeipa.org/ipa/migration/) for password migration. >>>>> Under the hood the endpoint just does an LDAP bind with username and >>>>> password. You can ask your users to either log into a machine with >>>>> ssh or go to the migration page. >>>> >>>> I did indeed miss that vital information. It is more than sufficient >>>> for our needs. >>>> >>>> Thanks a lot guys. All scenarios that need to be working in our >>>> environment do actually work now. >>> >>> Did something change on the IPA side? Newly created users cannot login >>> to the WebGUI anymore. They get a "Your session has expired" error. >>> Might have to do with this thread: >>> https://lists.fedorahosted.org/archives/list/[email protected]/thread/YFPMHCWA7R47ZSI75EZKCMSWLH5QYH4P/?sort=date >>> >> >> You don't provide enough information to tell. Did you upgrade versions? >> >> Per the link, do your users have SIDs? > > I was asking in an unspecific way because I knew that you would have > some sort of suspicion... > > You were absolutely right. The user does not have a SID. Which > information do you need in order to further investigate the problem?
There are a bunch of threads in freeipa-users that describe how to troubleshoot this. rob -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
