Hi, I'm trying to integrate FreeIPA with a Java webapp using JAAS. I have the login module configured properly and it is working fine.
However, I have a problem with the initial user setup. New accounts are created with expired passwords for good reason. However, I would like a way to for a user to change their expired kerberos password which does not use the command line. e.g. an SSL web form. On searching the web, there does not appear to be a (free) java library which implements the same functionality as ipa-passwd, kinit or ssh for changing expired passwords. Does anyone know if such a thing exists? The IPA documentation indicates that ssh has an option 'challenge-response' for changing expired passwords. I would like the same functionality on a web page. Assuming that this is true (which I find very hard to believe), then I can think of 3 possible solutions: 1. Attempt to execute the system commands from within Java (Yuck - quite apart from the difficulties of escaping the arguments, the password will be displayed in the system process list while the command is being executed). 2. Use XMLRPC. Although this introduces another whole layer into the system, this might be the best way to go. 3. Update the users password expiry in the LDAP directory to (say) 1 day in the future so that they can login. I am currently looking at the XMLRPC route. However, no matter what request I send to the server, I receive 'XmlRpcException:HTTP server returned unexpected status: Authorization Required'. Do I need to store the details of the failed login so that I can authorize my RPC? Is there any documentation on the FreeIPA XMLRPC which I can read? I have the API, but no more. I had to dig into the apache configuration to find the domain path context (/xml/ipa). Thanks, Dan Scott http://danieljamesscott.org _______________________________________________ Freeipa-users mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-users