Ronald Wimmer via FreeIPA-users wrote: > On 13.02.24 18:54, Christian Heimes via FreeIPA-users wrote: >> On 13/02/2024 18.03, Ronald Wimmer via FreeIPA-users wrote: >>> On 13.02.24 17:47, Rob Crittenden wrote: >>>> >>>> I don't think it's possible to speculate without knowing your process. >>>> >>>> This requires the cleartext password so assuming you create the staged >>>> user then immediately active them, that would be the time to do the >>>> bind. Otherwise you have to store cleartext passwords and that is a >>>> recipe for disaster. >>> >>> User is created by an external tool. User activation in IPA is done >>> by a script on one of the IPA servers periodically. Sadly, the >>> external tool cannot do an initial LDAP bind in order to create a >>> users's krb LDAP attributes. I am looking for a simple way these >>> properties are created. >>> >>> Sure I could say a user has to SSH somewhere but why can't that >>> happen if a user tries to login to IPA's WebGUI and the krb >>> properties are missing? Or is there another option for users to >>> accomplish this? >> >> Because the IPA WebUI uses the Kerberos extension S4U2Proxy under the >> hood. It allows the WebUI to talk to the LDAP server on behalf of the >> user. This feature require a proper Kerberos credentials. See >> https://www.freeipa.org/page/V4/Service_Constraint_Delegation >> >> I already mentioned the recommended option to archive this a while >> ago. You may have missed the piece of information in this very long >> thread. IPA servers have a special /ipa/migration route (e.g. >> https://ipa.demo1.freeipa.org/ipa/migration/) for password migration. >> Under the hood the endpoint just does an LDAP bind with username and >> password. You can ask your users to either log into a machine with ssh >> or go to the migration page. > > > You wrote "under the hood it just does an LDAP bind". We let the > external IAM system do an LDAP bind whenever a user's password changes. > So we do not need to force users to establish an SSH connection or call > the /ipa/migration route manually. > > Is it ok from your point of view to do it like that or do you see any > culprits?
If the remote system already has the cleartext password it doesn't seem risky for it to do a bind with it. Assuming you use startTLS or the ldaps port of course. rob -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
