Hi Simo,

I totally missed http://www.freeipa.org/page/PasswordSynchronization (and
chapter 8.5.3 of the IPA guide :-) Thanks for pointing it out!

Regards,
Willem.


On Wed, Jun 6, 2012 at 2:46 PM, Simo Sorce <s...@redhat.com> wrote:

> On Wed, 2012-06-06 at 14:34 +0200, Willem Bos wrote:
> > Hi Alexander,
> >
> >
> > I did some experimenting with the example at
> >
> http://adam.younglogic.com/2010/07/talking-to-freeipa-json-web-api-via-curl/and
>  am now able to create a user using the following as input to curl (-d
> @user_add.json) :
> >
> >
> > {
> >   "method":"user_add",
> >   "params":[
> >     [],
> >     {
> >       "uid":"test",
> >       "givenname":"test",
> >       "sn":"test",
> >       "userpassword":"test"
> >     }
> >   ]
> > }
> >
> >
> > I'm left with two questions :
> > - Is it possible to use a hashed password (as stored in the 'meta-IM')
> > as a value for userpassword? And if so, will this propagate to the
> > created Kerberos principal?
>
> Nope, we need the clear text in order to generate the krb5 keys.
>
> > - After creation, I'm forced to change the password when running
> > `kinit test`. Is it possible to reset prevent the forced password
> > change?
>
> Yes, see: http://www.freeipa.org/page/PasswordSynchronization
>
> > As a test, I tried to set the '-needchange' attribute using kadmin but
> > that returned "... Insufficient access while modifying..."
>
> This is not controlled by kadmin.
> >
> > I grepped the mailing list archives / API.txt / source code / etc. for
> > clues but without success...
>
> See above, it is really easy to create an agent with the right
> permissions.
>
> Simo.
>
> --
> Simo Sorce * Red Hat, Inc * New York
>
>
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to