Dan Scott wrote:
On Sat, Oct 31, 2009 at 12:50, Simo Sorce <sso...@redhat.com> wrote:
On Fri, 2009-10-30 at 18:16 -0400, Dan Scott wrote:
OK, that makes sense, thanks. But there's still one thing I don't
really understand. How do the ipa tools obtain a ticket for the RPC
when the password has expired?
They don't, password change is done via kpasswd (or direct connection to
ldap and ldappasswd operation).


So kpasswd can alter the LDAP directory without a ticket?

Let me check to see if I've got this straight. There are no IPA
specific tools for changing an expired password? It can be done using
kpasswd (Which I really don't understand) or with a simple ldap bind
where the expired password is used for binding? Further, there is no
python library for changing the expired password? Is the above
correct?

The only way that I can see at the moment is to 'manually' alter the
LDAP directory. i.e. Hash the password myself and insert it into the
database. Could someone point me in the right direction for the cn and
hashing algorithm I need to use?
No, you should not change a password using a pre-hashed value. You should always send a clear text password - otherwise, IPA has no way to generate the different hashes/keys it needs.
Thanks again for all the replies,

Dan

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to