On Sun, 2009-11-01 at 22:26 -0500, Dan Scott wrote:
> On Sat, Oct 31, 2009 at 12:50, Simo Sorce <sso...@redhat.com> wrote:
> > On Fri, 2009-10-30 at 18:16 -0400, Dan Scott wrote:
> >> OK, that makes sense, thanks. But there's still one thing I don't
> >> really understand. How do the ipa tools obtain a ticket for the RPC
> >> when the password has expired?
> >
> > They don't, password change is done via kpasswd (or direct connection to
> > ldap and ldappasswd operation).
> So kpasswd can alter the LDAP directory without a ticket?

kpasswd can take a ticket for kadmin/chang...@realm

> Let me check to see if I've got this straight. There are no IPA
> specific tools for changing an expired password?

Admin can always reset other users passwords, but they will be expired.

>  It can be done using
> kpasswd (Which I really don't understand) or with a simple ldap bind
> where the expired password is used for binding? Further, there is no
> python library for changing the expired password? Is the above
> correct?


> The only way that I can see at the moment is to 'manually' alter the
> LDAP directory. i.e. Hash the password myself and insert it into the
> database. Could someone point me in the right direction for the cn and
> hashing algorithm I need to use?

No prehashed password are refused, we need the clear text password to be
able to create the kerberos keys. 
The best way is to use the ldappasswd extended operation, although
probably writing the clear text password to userPassword should also


Simo Sorce * Red Hat, Inc * New York

Freeipa-users mailing list

Reply via email to