Dan Scott wrote:
No, you should not change a password using a pre-hashed value. You should always send a clear text password - otherwise, IPA has no way to generate the different hashes/keys it needs.On Sat, Oct 31, 2009 at 12:50, Simo Sorce <sso...@redhat.com> wrote:On Fri, 2009-10-30 at 18:16 -0400, Dan Scott wrote:OK, that makes sense, thanks. But there's still one thing I don't really understand. How do the ipa tools obtain a ticket for the RPC when the password has expired?They don't, password change is done via kpasswd (or direct connection to ldap and ldappasswd operation).So kpasswd can alter the LDAP directory without a ticket? Let me check to see if I've got this straight. There are no IPA specific tools for changing an expired password? It can be done using kpasswd (Which I really don't understand) or with a simple ldap bind where the expired password is used for binding? Further, there is no python library for changing the expired password? Is the above correct? The only way that I can see at the moment is to 'manually' alter the LDAP directory. i.e. Hash the password myself and insert it into the database. Could someone point me in the right direction for the cn and hashing algorithm I need to use?
Thanks again for all the replies, Dan _______________________________________________ Freeipa-users mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-users
Description: S/MIME Cryptographic Signature
_______________________________________________ Freeipa-users mailing list Freeipafirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/freeipa-users