Thanks you sir! Shaun McAdams National Government Services Health IT : CPI-Predictive Modeling (o) - 317.595.4905 / x2004905 (c) - 317.430.9845
-----Original Message----- From: Alexander Bokovoy [mailto:aboko...@redhat.com] Sent: Wednesday, March 05, 2014 10:15 AM To: Mcadams, Shaun Cc: freeipa-users@redhat.com; Xue, Xinjian Subject: Re: [Freeipa-users] Advice on hosting reset_password in jboss instance On Wed, 05 Mar 2014, Mcadams, Shaun wrote: >We use ipa on our red hat boxes and have recently installed a SAS >suite/servers for a contract. Their users are a mix of >internal/external associates. Integrating with this ipa was >straight-forward. Their application is able to use pam, but their >logon manager is limited as it does not support ids that have expired >or need reset. For security reason, some which are IDM UI related, we >cannot expose the web app for those users to reset their passwords. So >investigating a little bit, we found a few options but I wanted to >solicit any feedback for anyone who has been there done that. > > > >We have the process working via the /ipa/session/change_password via a >python script which we could form feed. At the same time I see that >there is already a reset_password form, javascript created. So I don't >know that this is even necessary. However, I have found that hosting >those in a web server isn't working and one person believes that could >be related to the wrong ldap hostname. > > > >Anyway just wanted to see if anyone has faced this before. Thanks. Remember that passwords are managed in LDAP and integrated with Kerberos. This gives you few other options than what is described above: - use kpasswd to perform password change directly against KDC +: can be scripted easily +: requires no setup additional privileges in IPA -: cannot be used when password is forgotten - use LDAP password change operation, through ldappasswd +: can be scripted easily +: requires no setup with additional privileges -: cannot be used when password is forgotten For cases, when password is forgotten, admin has to reset user's password through ipa passwd <user> command line interface and then user can use any of the above to change password. All options above are scriptable since all tools accept passwords over standard input or through a file. If you want to build web application to reset passwords, then you need to understand how conditional delegation works in IPA. As your application works on user's behalf against IPA with Kerberos credentials, it needs to be explicitly allowed to delegate user's credentials. For doing that read my article at https://vda.li/en/posts/2013/07/29/Setting-up-S4U2Proxy-with-FreeIPA/index.html -- / Alexander Bokovoy CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information or otherwise be protected by law. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
