Thanks you sir!

Shaun McAdams
National Government Services
Health IT : CPI-Predictive Modeling 
(o) - 317.595.4905 / x2004905
(c) - 317.430.9845

-----Original Message-----
From: Alexander Bokovoy [] 
Sent: Wednesday, March 05, 2014 10:15 AM
To: Mcadams, Shaun
Cc:; Xue, Xinjian
Subject: Re: [Freeipa-users] Advice on hosting reset_password in jboss instance

On Wed, 05 Mar 2014, Mcadams, Shaun wrote:
>We use ipa on our red hat boxes and have recently installed a SAS 
>suite/servers for a contract.  Their users are a mix of 
>internal/external associates.  Integrating with this ipa was 
>straight-forward.  Their application is able to use pam, but their 
>logon manager is limited as it does not support ids that have expired 
>or need reset.  For security reason, some which are IDM UI related, we 
>cannot expose the web app for those users to reset their passwords.  So 
>investigating a little bit, we found a few options but I wanted to 
>solicit any feedback for anyone who has been there done that.
>We have the process working via the /ipa/session/change_password via a 
>python script which we could form feed.  At the same time I see that 
>there is already a reset_password form, javascript created.  So I don't 
>know that this is even necessary.  However, I have found that hosting 
>those in a web server isn't working and one person believes that could 
>be related to the wrong ldap hostname.
>Anyway just wanted to see if anyone has faced this before. Thanks.
Remember that passwords are managed in LDAP and integrated with Kerberos. This 
gives you few other options than what is described above:

- use kpasswd to perform password change directly against KDC
   +: can be scripted easily
   +: requires no setup additional privileges in IPA
   -: cannot be used when password is forgotten

- use LDAP password change operation, through ldappasswd
   +: can be scripted easily
   +: requires no setup with additional privileges
   -: cannot be used when password is forgotten

For cases, when password is forgotten, admin has to reset user's password 
   ipa passwd <user>
command line interface and then user can use any of the above to change 

All options above are scriptable since all tools accept passwords over standard 
input or through a file.

If you want to build web application to reset passwords, then you need to 
understand how conditional delegation works in IPA. As your application works 
on user's behalf against IPA with Kerberos credentials, it needs to be 
explicitly allowed to delegate user's credentials. For doing that read my 
article at

/ Alexander Bokovoy

CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is
for the sole use of the intended recipient(s) and may contain confidential
and privileged information or otherwise be protected by law. Any
unauthorized review, use, disclosure or distribution is prohibited. If you
are not the intended recipient, please contact the sender by reply e-mail
and destroy all copies of the original message.

Freeipa-users mailing list

Reply via email to