Sorry again, forgot to CC the mailing list.


On Tue, Nov 3, 2009 at 16:10, Dan Scott <> wrote:
> Hi,
> On Mon, Nov 2, 2009 at 07:33, Simo Sorce <> wrote:
>> On Sun, 2009-11-01 at 22:26 -0500, Dan Scott wrote:
>>> On Sat, Oct 31, 2009 at 12:50, Simo Sorce <> wrote:
>>> > On Fri, 2009-10-30 at 18:16 -0400, Dan Scott wrote:
>>> >> OK, that makes sense, thanks. But there's still one thing I don't
>>> >> really understand. How do the ipa tools obtain a ticket for the RPC
>>> >> when the password has expired?
>>> >
>>> > They don't, password change is done via kpasswd (or direct connection to
>>> > ldap and ldappasswd operation).
>>> So kpasswd can alter the LDAP directory without a ticket?
>> kpasswd can take a ticket for kadmin/chang...@realm
> So is that a 'special' ticket, which can be obtained with an expired
> password? Which can then be used to change the user's password?
>>> Let me check to see if I've got this straight. There are no IPA
>>> specific tools for changing an expired password?
>> Admin can always reset other users passwords, but they will be expired.
> Well sure, :) but changing a users expired password for another
> expired password doesn't really help. I meant more along the lines
> that there are no IPA specific tools which allow a non-admin user to
> change their own expired password.
>>> The only way that I can see at the moment is to 'manually' alter the
>>> LDAP directory. i.e. Hash the password myself and insert it into the
>>> database. Could someone point me in the right direction for the cn and
>>> hashing algorithm I need to use?
>> No prehashed password are refused, we need the clear text password to be
>> able to create the kerberos keys.
>> The best way is to use the ldappasswd extended operation, although
>> probably writing the clear text password to userPassword should also
>> work.
> OK, thanks. I've located a Java library which implements the correct
> LDAP extended operations. I can change a non-expired password with no
> problem, but I still can't change an expired password. I am using:
> and I am attempting to bind to the LDAP directory using SimpleBindRequest
> This works fine for changing currently valid passwords, but I receive
> "LDAPException :invalid credentials" when attempting to bind using an
> expired password. Do I need to use a different bind type? There are
> several available: ANONYMOUSBindRequest, CRAMMD5BindRequest,
> DIGESTMD5BindRequest, EXTERNALBindRequest, GSSAPIBindRequest,
> PLAINBindRequest, SASLBindRequest. I assume that anonymous won't work.
> Maybe I need to request the kadmin/changepw ticket requested above
> using Kerberos and use this to bind to LDAP?
> Is there any documentation related to all this? Anything would be
> great but if there's anything related to the way it works in FreeIPA
> that would be even better. I've been searching high and low and I'm
> not really having much luck.
> Thanks,
> Dan

Freeipa-users mailing list

Reply via email to