On Wed, 05 Mar 2014, Mcadams, Shaun wrote:
We use ipa on our red hat boxes and have recently installed a SAS
suite/servers for a contract.  Their users are a mix of
internal/external associates.  Integrating with this ipa was
straight-forward.  Their application is able to use pam, but their
logon manager is limited as it does not support ids that have expired
or need reset.  For security reason, some which are IDM UI related, we
cannot expose the web app for those users to reset their passwords.  So
investigating a little bit, we found a few options but I wanted to
solicit any feedback for anyone who has been there done that.

We have the process working via the /ipa/session/change_password via a
python script which we could form feed.  At the same time I see that
there is already a reset_password form, javascript created.  So I don't
know that this is even necessary.  However, I have found that hosting
those in a web server isn't working and one person believes that could
be related to the wrong ldap hostname.

Anyway just wanted to see if anyone has faced this before. Thanks.
Remember that passwords are managed in LDAP and integrated with
Kerberos. This gives you few other options than what is described above:

- use kpasswd to perform password change directly against KDC
  +: can be scripted easily
  +: requires no setup additional privileges in IPA
  -: cannot be used when password is forgotten

- use LDAP password change operation, through ldappasswd
  +: can be scripted easily
  +: requires no setup with additional privileges
  -: cannot be used when password is forgotten

For cases, when password is forgotten, admin has to reset user's
password through
  ipa passwd <user>
command line interface and then user can use any of the above to change

All options above are scriptable since all tools accept passwords over
standard input or through a file.

If you want to build web application to reset passwords, then you need
to understand how conditional delegation works in IPA. As your
application works on user's behalf against IPA with Kerberos
credentials, it needs to be explicitly allowed to delegate user's
credentials. For doing that read my article at

/ Alexander Bokovoy

Freeipa-users mailing list

Reply via email to