I'm trying to integrate FreeIPA with a Java webapp using JAAS. I have
the login module configured properly and it is working fine.

However, I have a problem with the initial user setup. New accounts
are created with expired passwords for good reason. However, I would
like a way to for a user to change their expired kerberos password
which does not use the command line. e.g. an SSL web form.

On searching the web, there does not appear to be a (free) java
library which implements the same functionality as ipa-passwd, kinit
or ssh for changing expired passwords. Does anyone know if such a
thing exists? The IPA documentation indicates that ssh has an option
'challenge-response' for changing expired passwords. I would like the
same functionality on a web page.

Assuming that this is true (which I find very hard to believe), then I
can think of 3 possible solutions:

1. Attempt to execute the system commands from within Java (Yuck -
quite apart from the difficulties of escaping the arguments, the
password will be displayed in the system process list while the
command is being executed).
2. Use XMLRPC. Although this introduces another whole layer into the
system, this might be the best way to go.
3. Update the users password expiry in the LDAP directory to (say) 1
day in the future so that they can login.

I am currently looking at the XMLRPC route. However, no matter what
request I send to the server, I receive 'XmlRpcException:HTTP server
returned unexpected status: Authorization Required'. Do I need to
store the details of the failed login so that I can authorize my RPC?

Is there any documentation on the FreeIPA XMLRPC which I can read? I
have the API, but no more. I had to dig into the apache configuration
to find the domain path context (/xml/ipa).


Dan Scott

Freeipa-users mailing list

Reply via email to