Hi Dmitri,

That is quite a bucket of stuff... On the CA-less install, basically I don't 
want to have my users change their passwords again (they are complaining about 
the every 90 day password rotation policy), we do not have an internal CA, most 
of our "desk top support" folks don't even have access to all of the desktops 
in the place.  Like I said this place is mind bending when it comes to standard 
practices.  The CA-less would be good if it were possible to make that change 
in place, or make the change by standing up a new IPA server and having the 
ability to import the current data set.

I was looking at PWM, and may try to get that implemented.


On 5/13/15 5:00 PM, Dmitri Pal wrote:
> On 05/13/2015 07:40 PM, William Graboyes wrote:
> > Hash: SHA512
> >
> > Hi List,
> >
> > I am trying to figure out a method of allowing users who do not have
> > shell access to change their own passwords.  The GUI that comes with
> > FreeIPA is out of the question due to the untrusted CA (yes I know we
> > are a strange shop, there is nothing I can do about it, and you would
> > want to gouge you eyes out if I told you the full story) becoming a
> > "Bad habit forming" method of changing one's password.  I have been
> > looking around for about a week now, and am somewhat lost and
> > perplexed. The old documentation for FreeIPA basically says that it is
> > not a good idea to manipulate the password directly in LDAP (and even
> > then finding what hash is being used has been next to impossible).
> >
> > So the question is this, does anyone know of any tools out there that
> > can happily, or even with some modification, allow me to set up a
> > trusted external ssl site that allows users to change their passwords.
> There is no external password reset self service in IPA yet. We will be
> starting to look into this effort during summer.
> Take a look at the bucket of tickets in the "FreeIPA Community Portal
> Release" here https://fedorahosted.org/freeipa/report/3.
> What prevents you from making IPA trusted? You can chain IPA to your CA
> or use it CA-less with certs from your own CA.
> Then UI would be an option I assume.
> Other option is https://code.google.com/p/pwm/
> >
> > Thanks,
> > Bill
> > Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
> > Comment: GPGTools - https://gpgtools.org
> >
> > MCQQt+yGblI2gqZiVm2NCHD4Lto4sDUJSdnQF++kcuCTd0u4P5twFR/LejIAa/Jc
> > bKCO7XSmfBEh/+ArVeUBSsoBec2V0h6x3i98mChD55DzuRJj4HiIxGgM1KdeAgaV
> > UdwI9wQEKOUCyHZyDVdEk/g+X1QMnNBPUXhdEiHtAkbqkxSan01iw2k1mGjfIOWU
> > NfOThdj7K9vE18YIKuJ7L/uztvNyAaj+ZsR1uKayYxlpgMalUJDHW1u3gX2MPELm
> > zpDWVj7mR0iZ78AJlSG0J7+ughBMq5jarlzdCYTHmFqe0dszmafDAdxIBKmWw+IW
> > /BXIMDTR/CjoPW4D65fewEcqIVrODDft6GNDg7aYa0dF8eiOjQM3wNUVjmgBESBK
> > ztcGuFID+bl96+GABuSo9OFS36/dKskhGK125gvpEgU8pWM4+POQDtWlHjFHw5Ml
> > 1ZCZHxrQOp/drolh50uMTl6QrZSKt0U3Kikw+zzj5itAEtbhVrnfw7nvJHlhPsy/
> > 7CG2WMv/iwXzif+ogSN6ClkOxSTqHftS2BW9uMP7meLNK0tRiCtTVSXSXIizTR96
> > ZbCb9zbETfHYj2KE3nLeKAeycaN15+8NK1YgVYEh+ZqbsgdFgD6src6X/NP3v3dX
> > kzyr3+tqYdDbgibcYyhd
> > =5KCr
> > -----END PGP SIGNATURE-----
> >

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to