Thanks for your replies.

On Fri, Oct 30, 2009 at 09:29, Rob Crittenden <rcrit...@redhat.com> wrote:
> Jason Gerard DeRose wrote:
>> On Thu, 2009-10-29 at 17:56 -0400, Dan Scott wrote:
>>> Hi,
>>> I'm trying to integrate FreeIPA with a Java webapp using JAAS. I have
>>> the login module configured properly and it is working fine.
>>> However, I have a problem with the initial user setup. New accounts
>>> are created with expired passwords for good reason. However, I would
>>> like a way to for a user to change their expired kerberos password
>>> which does not use the command line. e.g. an SSL web form.
>>> On searching the web, there does not appear to be a (free) java
>>> library which implements the same functionality as ipa-passwd, kinit
>>> or ssh for changing expired passwords. Does anyone know if such a
>>> thing exists? The IPA documentation indicates that ssh has an option
>>> 'challenge-response' for changing expired passwords. I would like the
>>> same functionality on a web page.
>> Yes, you raise a good point and we obviously need a way to do this via
>> the web UI.
>> Rob, if a user's password is expired, how does the password change work?
>> Does the user still do a Kerberos auth with the old password, or do we
>> need a non-Kerberos protected web page through which to update the
>> password?
>> Either way, this will be a simple thing to add to the UI.
> As Sumit said, the self-service page currently requires kerberos so you'd
> have to get a TGT first which means you need a valid password.
> This may not be too difficult to do in a web form (SSL protected, of
> course). You should be able to create a non-kerberos auth page that prompts
> for username, old and new password and a submit button. You could pass this
> onto a a simple backend that does an LDAP bind as the user with the old
> password then use ldap_passwd() to set the new password.

Thanks. Do you have a particular language in mind for the
ldap_passwd() command? This sounds like a good way to go about it.
I've been looking at the ldappasswd command to figure out the correct
arguments, but this seems to require an SSL connection (Which is not
currently configured on my ipa server). This is strange, as ipa-passwd
and/or kpasswd don't appear to require SSL (maybe I'm wrong about
this). Anyway, is there a way to do this without using SSL?

I might be making this all far too complicated. I have considered
using JNI to wrap a c kerberos library. Does this sound like a
reasonable idea?

>>> Is there any documentation on the FreeIPA XMLRPC which I can read? I
>>> have the API, but no more. I had to dig into the apache configuration
>>> to find the domain path context (/xml/ipa).
> Yes, just the API is documented, there aren't any programming examples other
> than the code itself AFAIK.
> One thing you can do is add the -v option to the ipa command-line tools to
> see the XML-RPC request/response. That might help.

Thanks for that tip. It's useful to see the RPCs. Just to confirm,
there's no way to perform the 'un-authenticated' XML RPC to change a
password, even if the expired password is supplied in the call?


Dan Scott

Freeipa-users mailing list

Reply via email to