Dan Scott wrote:
This may not be too difficult to do in a web form (SSL protected, of
course). You should be able to create a non-kerberos auth page that prompts
for username, old and new password and a submit button. You could pass this
onto a a simple backend that does an LDAP bind as the user with the old
password then use ldap_passwd() to set the new password.

Thanks. Do you have a particular language in mind for the
ldap_passwd() command? This sounds like a good way to go about it.
I've been looking at the ldappasswd command to figure out the correct
arguments, but this seems to require an SSL connection (Which is not
currently configured on my ipa server). This is strange, as ipa-passwd
and/or kpasswd don't appear to require SSL (maybe I'm wrong about
this). Anyway, is there a way to do this without using SSL?

I'll respond in reverse.

I don't believe the LDAP server will accept password changes over an unencrypted channel, so you either need to bind using GSSAPI or use SSL.

We use forwarded tickets in XML-RPC so our LDAP connections don't use SSL, we do a GSSAPI bind which brings its own encryption. You will have to do a simple bind since you'll just have a username/password.

We configure SSL for the LDAP server so as long as you trust the IPA CA you can do an SSL connection.

You can do it in whatever language you feel most comfortable with. You can write it as a CGI using perl, use mod_python, PHP, etc. All of these have some amount of LDAP support.

I might be making this all far too complicated. I have considered
using JNI to wrap a c kerberos library. Does this sound like a
reasonable idea?

I'm pretty sure Java supports kerberos natively. It can also speak LDAP natively.

Is there any documentation on the FreeIPA XMLRPC which I can read? I
have the API, but no more. I had to dig into the apache configuration
to find the domain path context (/xml/ipa).
Yes, just the API is documented, there aren't any programming examples other
than the code itself AFAIK.

One thing you can do is add the -v option to the ipa command-line tools to
see the XML-RPC request/response. That might help.

Thanks for that tip. It's useful to see the RPCs. Just to confirm,
there's no way to perform the 'un-authenticated' XML RPC to change a
password, even if the expired password is supplied in the call?

Right, no unauthenticated access. We let Apache's mod_auth_kerb module handle authentication for us and expect a ticket in the entry point. Even if you configured it to not require a ticket things would very likely blow up. That said, you can probably look at ipaldap.py for inspiration on how to do the password change in python (if you choose to go that route).


Dan Scott


Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Freeipa-users mailing list

Reply via email to