On Thu, 2009-10-29 at 17:56 -0400, Dan Scott wrote:
> Hi,
> I'm trying to integrate FreeIPA with a Java webapp using JAAS. I have
> the login module configured properly and it is working fine.
> However, I have a problem with the initial user setup. New accounts
> are created with expired passwords for good reason. However, I would
> like a way to for a user to change their expired kerberos password
> which does not use the command line. e.g. an SSL web form.
> On searching the web, there does not appear to be a (free) java
> library which implements the same functionality as ipa-passwd, kinit
> or ssh for changing expired passwords. Does anyone know if such a
> thing exists? The IPA documentation indicates that ssh has an option
> 'challenge-response' for changing expired passwords. I would like the
> same functionality on a web page.

Yes, you raise a good point and we obviously need a way to do this via
the web UI.

Rob, if a user's password is expired, how does the password change work?
Does the user still do a Kerberos auth with the old password, or do we
need a non-Kerberos protected web page through which to update the

Either way, this will be a simple thing to add to the UI.

> Assuming that this is true (which I find very hard to believe), then I
> can think of 3 possible solutions:
> 1. Attempt to execute the system commands from within Java (Yuck -
> quite apart from the difficulties of escaping the arguments, the
> password will be displayed in the system process list while the
> command is being executed).
> 2. Use XMLRPC. Although this introduces another whole layer into the
> system, this might be the best way to go.
> 3. Update the users password expiry in the LDAP directory to (say) 1
> day in the future so that they can login.
> I am currently looking at the XMLRPC route. However, no matter what
> request I send to the server, I receive 'XmlRpcException:HTTP server
> returned unexpected status: Authorization Required'. Do I need to
> store the details of the failed login so that I can authorize my RPC?

Ah, you've raised an important question that we currently don't have
documented, AFAIK.  Your XML-RPC client will have to set the
'Authorization' header for the Kerberos negotiation.  But as some
clients might not allow you to set the HTTP headers, we obviously need
other mechanisms, including using just a username/password.

For what it's worth, this is the Python code Rob wrote for doing this
(line 318 in ipalib/rpc.py):

class KerbTransport(SSLTransport):
    Handles Kerberos Negotiation authentication to an XML-RPC server.

    def _handle_exception(self, e, service=None):
        (major, minor) = ipautil.get_gsserror(e)
        if minor[1] == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN:
            raise errors.ServiceError(service=service)
        elif minor[1] == KRB5_FCC_NOFILE:
            raise errors.NoCCacheError()
        elif minor[1] == KRB5KRB_AP_ERR_TKT_EXPIRED:
            raise errors.TicketExpired()
        elif minor[1] == KRB5_FCC_PERM:
            raise errors.BadCCachePerms()
        elif minor[1] == KRB5_CC_FORMAT:
            raise errors.BadCCacheFormat()
        elif minor[1] == KRB5_REALM_CANT_RESOLVE:
            raise errors.CannotResolveKDC()
            raise errors.KerberosError(major=major, minor=minor)

    def get_host_info(self, host):
        (host, extra_headers, x509) = SSLTransport.get_host_info(self, host)

        # Set the remote host principal
        service = "HTTP@" + host.split(':')[0]

            (rc, vc) = kerberos.authGSSClientInit(service,
                                                kerberos.GSS_C_DELEG_FLAG |
                                                kerberos.GSS_C_MUTUAL_FLAG |
        except kerberos.GSSError, e:

            kerberos.authGSSClientStep(vc, "")
        except kerberos.GSSError, e:
            self._handle_exception(e, service=service)

        extra_headers = [
            ('Authorization', 'negotiate %s' % 

        return (host, extra_headers, x509)

> Is there any documentation on the FreeIPA XMLRPC which I can read? I
> have the API, but no more. I had to dig into the apache configuration
> to find the domain path context (/xml/ipa).

Right now the documentation is scarce, but we're currently working on
solidifying and formalizing the XML-RPC API and plan to document it in
detail once this is done.

Thanks for your interest in FreeIPA and we appreciate your feedback!

> Thanks,
> Dan Scott
> http://danieljamesscott.org
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

Freeipa-users mailing list

Reply via email to