Re: [Freeipa-users] Mail Challenge Password Reset
- Original Message - From: "KodaK" To: "Michael ORourke" Cc: Sent: Wednesday, March 20, 2013 8:35 PM Subject: Re: [Freeipa-users] Mail Challenge Password Reset On Wed, Mar 20, 2013 at 6:23 PM, Michael ORourke wrote: We have a POC with PWM and a testIPA server running freeIPA v2.2.0. It is working very well and we plan to move it into production soon. I haven't written a how-to, but I have several notes on setting this up. What part of PWM are you having trouble with? It's been a while, but IIRC when a user would request a reset via pwm and then set their password, it would require a further change because changing it through PWM was as-if an admin had done so. Something like that. Like I said, I didn't test that long with it. Like Dmitri said, if you could share your notes or write up a how-to the community would certainly appreciate it. Thanks, --Jason I am not seeing that behaviour (password requiring a change after user just changed it). I'm using PWM v1.6.4 and freeIPA v2.2.0. Perhaps it only shows up in certain environments. -Mike ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Mail Challenge Password Reset
- Original Message - From: "Dmitri Pal" To: Sent: Wednesday, March 20, 2013 7:29 PM Subject: Re: [Freeipa-users] Mail Challenge Password Reset On 03/20/2013 07:23 PM, Michael ORourke wrote: We have a POC with PWM and a testIPA server running freeIPA v2.2.0. It is working very well and we plan to move it into production soon. I haven't written a how-to, but I have several notes on setting this up. What part of PWM are you having trouble with? I would be really awesome if you find a moment to write a HOWTO on the subj. Thanks Dmitri Sure! I was planning on doing that anyways. The only piece which I am having some trouble with is the pwm-proxy-user and the pwm-admin user/group ACL's. The documentation has some general guidelines, but it is not LDAP server specific. For production, you obviously don't want the directory admin user as the pwm-proxy-user. Anyways, I'm pretty close to getting that worked out, then I'll have a usable HOWTO that I can share out. -Mike -Mike - Original Message - From: John Moyer To: freeipa-users@redhat.com Sent: Tuesday, March 19, 2013 4:25 PM Subject: [Freeipa-users] Mail Challenge Password Reset Is there a mail challenge 3rd party tool that allows for users to change their own passwords if they don't know their password? Something like PWM for LDAP? https://code.google.com/p/pwm/ I've been looking around and no one seems to have done this yet, but wanted to yield to this group before giving up hope. Thanks, _ John Moyer ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users - No virus found in this message. Checked by AVG - www.avg.com Version: 2013.0.2904 / Virus Database: 2641/6192 - Release Date: 03/20/13 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Mail Challenge Password Reset
On Wed, Mar 20, 2013 at 7:54 PM, Simo Sorce wrote: > You should have given the pwm user 'password sync' privileges. > See this: http://www.freeipa.org/page/PasswordSynchronization I remember what my problem with PWM was now: it wants to go out and retrieve something from "the cloud" when it runs, and since we're behind a few dozen firewalls that's just not going to happen. "2013-03-21 14:16:28, TRACE, pwm.VersionChecker, sending cloud version request to: https://pwm-cloud.appspot.com/rest/pwm/current-version"; It just hangs there. Anyway, I'm not going to bother trying to fix it, because: http://ltb-project.org/wiki/documentation/self-service-password That works just fine. I listed the user I set up for password management in passSyncManagersDNs and everything seems OK. I need to evaluate LTB quite a bit and make sure there aren't any glaring holes, but it looks like I may have a solution. PWM looks like it'd be nice, but I'm a path-of-least-resistance kind of guy. --Jason ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Mail Challenge Password Reset
On Wed, 2013-03-20 at 19:35 -0500, KodaK wrote: > On Wed, Mar 20, 2013 at 6:23 PM, Michael ORourke > wrote: > > We have a POC with PWM and a testIPA server running freeIPA v2.2.0. > > It is working very well and we plan to move it into production soon. > > I haven't written a how-to, but I have several notes on setting this up. > > What part of PWM are you having trouble with? > > It's been a while, but IIRC when a user would request a reset via pwm > and then set their password, it would require a further change because > changing it through PWM was as-if an admin had done so. You should have given the pwm user 'password sync' privileges. See this: http://www.freeipa.org/page/PasswordSynchronization > Something > like that. Like I said, I didn't test that long with it. Like Dmitri > said, if you could share your notes or write up a how-to the community > would certainly appreciate it. It would be very nice. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Mail Challenge Password Reset
On Wed, Mar 20, 2013 at 6:23 PM, Michael ORourke wrote: > We have a POC with PWM and a testIPA server running freeIPA v2.2.0. > It is working very well and we plan to move it into production soon. > I haven't written a how-to, but I have several notes on setting this up. > What part of PWM are you having trouble with? It's been a while, but IIRC when a user would request a reset via pwm and then set their password, it would require a further change because changing it through PWM was as-if an admin had done so. Something like that. Like I said, I didn't test that long with it. Like Dmitri said, if you could share your notes or write up a how-to the community would certainly appreciate it. Thanks, --Jason ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Mail Challenge Password Reset
On 03/20/2013 07:23 PM, Michael ORourke wrote: > We have a POC with PWM and a testIPA server running freeIPA v2.2.0. > It is working very well and we plan to move it into production soon. > I haven't written a how-to, but I have several notes on setting this up. > What part of PWM are you having trouble with? I would be really awesome if you find a moment to write a HOWTO on the subj. Thanks Dmitri > > -Mike > > > - Original Message - From: John Moyer > To: freeipa-users@redhat.com > Sent: Tuesday, March 19, 2013 4:25 PM > Subject: [Freeipa-users] Mail Challenge Password Reset > > Is there a mail challenge 3rd party tool that allows for users to > change their own passwords if they don't know their password? > Something like PWM for LDAP? > > https://code.google.com/p/pwm/ > > I've been looking around and no one seems to have done this yet, but > wanted to yield to this group before giving up hope. > > Thanks, > _ > John Moyer > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Mail Challenge Password Reset
We have a POC with PWM and a testIPA server running freeIPA v2.2.0. It is working very well and we plan to move it into production soon. I haven't written a how-to, but I have several notes on setting this up. What part of PWM are you having trouble with? -Mike - Original Message - From: John Moyer To: freeipa-users@redhat.com Sent: Tuesday, March 19, 2013 4:25 PM Subject: [Freeipa-users] Mail Challenge Password Reset Is there a mail challenge 3rd party tool that allows for users to change their own passwords if they don't know their password? Something like PWM for LDAP? https://code.google.com/p/pwm/ I've been looking around and no one seems to have done this yet, but wanted to yield to this group before giving up hope. Thanks, _ John Moyer ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Mail Challenge Password Reset
On Tue, Mar 19, 2013 at 3:36 PM, Rob Crittenden wrote: > John Moyer wrote: >> >> Is there a mail challenge 3rd party tool that allows for users to change >> their own passwords if they don't know their password? Something like >> PWM for LDAP? >> >> https://code.google.com/p/pwm/ >> >> I've been looking around and no one seems to have done this yet, but >> wanted to yield to this group before giving up hope. >> > > No. There is a ticket to add support for this but it isn't planned to be > worked on for some time. > > There was a thread about this last year: > https://www.redhat.com/archives/freeipa-users/2012-July/msg00051.html That was me. I still haven't done much -- pwm didn't work out well because when it changes the users password it auto expires as if an admin changed it and I didn't look much past that. With 3.0 users are able to reset their expired passwords and that's 99% of the changes that need to be made at our site (many of my users only use AIX servers, and the version we're running is horribly broken in regards to passing along messages from the auth backend. I set up a Linux VM specifically for account administration of this type, too.) ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Mail Challenge Password Reset
John Moyer wrote: Is there a mail challenge 3rd party tool that allows for users to change their own passwords if they don't know their password? Something like PWM for LDAP? https://code.google.com/p/pwm/ I've been looking around and no one seems to have done this yet, but wanted to yield to this group before giving up hope. No. There is a ticket to add support for this but it isn't planned to be worked on for some time. There was a thread about this last year: https://www.redhat.com/archives/freeipa-users/2012-July/msg00051.html rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users