Re: [Freeipa-users] Password expiry when account provisioned/updated via JSON RPC
I'm going to dig into it further, hopefully produce a patch in the next few
days. My work-around for right now is ldapmodifying
the krbPasswordExpiration attribute on the account after creation and
subsequent password updates.
On Wed, Mar 6, 2013 at 8:40 AM, Dmitri Pal d...@redhat.com wrote:
On 03/05/2013 10:28 PM, Brian Smith wrote:
I set the policy to 1 year and recreated the account.
$ ipa pwpolicy-show --user=it-rc-test-faculty
Group: global_policy
Max lifetime (days): 365
Min lifetime (hours): 1
History size: 0
Character classes: 0
Min length: 8
Max failures: 10
Failure reset interval: 60
Lockout duration: 600
Looks like a bug was filed for this about 9 months ago:
https://fedorahosted.org/freeipa/ticket/2795
I can also confirm the same behavior when the policy is set to 0 days,
less than 90 days, or if I create a separate password policy for users in
the ipausers group. The result is always 90 days.
If the user updates the password themselves (after initial login) then
the password policy works and sets the expiry accordingly.
The user that is adding the users with userpasswd set appears in the
passsyncmanagersdns list:
passsyncmanagersdns:
uid=rc-user-svcacct,cn=users,cn=accounts,dc=rc,dc=usf,dc=edu
Can you work around this issue?
While it was filed 9 months ago it was found to not be that critical so we
deferred it till later time.
Patches are always welcome too :-)
On Mon, Mar 4, 2013 at 2:40 PM, Rob Crittenden rcrit...@redhat.comwrote:
Brian Smith wrote:
Thanks for your response, and sorry for my late response. I'm on RHEL6,
using the packages from the distribution
repository, ipa-server-2.2.0-17.el6_3.1.x86_64
My pwpolicy is set as such (in testing):
$ ipa pwpolicy-show --all
dn: cn=global_policy,cn=rc.usf.edu
http://rc.usf.edu,cn=kerberos,dc=rc,dc=usf,dc=edu
Group: global_policy
Max lifetime (days): 365
Min lifetime (hours): 1
History size: 0
Character classes: 0
Min length: 8
Max failures: 10
Failure reset interval: 60
Lockout duration: 600
objectclass: top, nsContainer, krbPwdPolicy
If I create an account and set the password using the following JSON
string, against $server/ipa/json, say today,
{
method:user_add,
params:[ [],
{
uid:it-rc-test-faculty,
homedirectory:/home/i/it-rc-test-faculty,
userpassword:MyPasswordInTheClear,
givenname:RC TEST - Faculty,
sn:Service_Account
}]
}
I get a password expiry time like so:
$ ipa user-show --all it-rc-test-faculty | grep krbpasswordexpiration
krbpasswordexpiration: 20130602163523Z
That's clearly not one year into the future, but more like 90 days.
Is there something else I'm missing or are we looking at a bug?
I still can't reproduce this. I tried from our 3.x branch and the 2.2
bits on 6.3.
Can you do: ipa pwpolicy-show --user=it-rc-test-faculty
This will show the policy applied to that user.
Might also check /var/log/dirsrv/slapd-REALM/errors for anything
suspicious.
rob
Many thanks,
-Brian
On Tue, Feb 26, 2013 at 3:22 AM, Martin Kosek mko...@redhat.com
mailto:mko...@redhat.com wrote:
On 02/25/2013 04:38 PM, Brian Smith wrote:
It seems that regardless of the global password expiry setting,
that setting a
password via the methods
user-add
passwd
i will always have a password that expires in 90 days. I
followed the
instructions here http://freeipa.org/page/PasswordSynchronization
to avoid the immediate expiry, but I need at least 180 days for my
configuration to work.
Any help would be appreciated!
--
Brian Smith
Assistant Director
Research Computing, University of South Florida
4202 E. Fowler Ave. SVC4010
Office Phone: +1 813 974-1467 tel:%2B1%20813%20974-1467
Organization URL: http://rc.usf.edu
Hello Brian,
Updating maximum password expiration time with ipa pwpolicy-mod
affects only
new passwords, i.e. password that you already changed will have the
old lifetime.
When I tested this on Fedora 18, password change worked for me:
# ipa pwpolicy-mod --maxlife 180
Group: global_policy
Max lifetime (days): 180
Min lifetime (hours): 1
History size: 0
Character classes: 0
Min length: 8
Max failures: 6
Failure reset interval: 60
Lockout duration: 600
# ipa user-add --first=Foo --last=Bar fbar
-
Added user fbar
-
User login: fbar
First name: Foo
Last name: Bar
Full name: Foo Bar
Display name: Foo Bar
Initials: FB
Home directory: /home/fbar
GECOS field: Foo Bar
Login shell: /bin/sh
Kerberos principal: f...@example.com mailto:f
Re: [Freeipa-users] Password expiry when account provisioned/updated via JSON RPC
I set the policy to 1 year and recreated the account.
$ ipa pwpolicy-show --user=it-rc-test-faculty
Group: global_policy
Max lifetime (days): 365
Min lifetime (hours): 1
History size: 0
Character classes: 0
Min length: 8
Max failures: 10
Failure reset interval: 60
Lockout duration: 600
Looks like a bug was filed for this about 9 months ago:
https://fedorahosted.org/freeipa/ticket/2795
I can also confirm the same behavior when the policy is set to 0 days, less
than 90 days, or if I create a separate password policy for users in the
ipausers group. The result is always 90 days.
If the user updates the password themselves (after initial login) then the
password policy works and sets the expiry accordingly.
The user that is adding the users with userpasswd set appears in the
passsyncmanagersdns list:
passsyncmanagersdns:
uid=rc-user-svcacct,cn=users,cn=accounts,dc=rc,dc=usf,dc=edu
On Mon, Mar 4, 2013 at 2:40 PM, Rob Crittenden rcrit...@redhat.com wrote:
Brian Smith wrote:
Thanks for your response, and sorry for my late response. I'm on RHEL6,
using the packages from the distribution
repository, ipa-server-2.2.0-17.el6_3.1.**x86_64
My pwpolicy is set as such (in testing):
$ ipa pwpolicy-show --all
dn: cn=global_policy,cn=rc.usf.edu
http://rc.usf.edu,cn=**kerberos,dc=rc,dc=usf,dc=edu
Group: global_policy
Max lifetime (days): 365
Min lifetime (hours): 1
History size: 0
Character classes: 0
Min length: 8
Max failures: 10
Failure reset interval: 60
Lockout duration: 600
objectclass: top, nsContainer, krbPwdPolicy
If I create an account and set the password using the following JSON
string, against $server/ipa/json, say today,
{
method:user_add,
params:[ [],
{
uid:it-rc-test-faculty,
homedirectory:/home/i/it-**rc-test-faculty,
userpassword:**MyPasswordInTheClear,
givenname:RC TEST - Faculty,
sn:Service_Account
}]
}
I get a password expiry time like so:
$ ipa user-show --all it-rc-test-faculty | grep krbpasswordexpiration
krbpasswordexpiration: 20130602163523Z
That's clearly not one year into the future, but more like 90 days.
Is there something else I'm missing or are we looking at a bug?
I still can't reproduce this. I tried from our 3.x branch and the 2.2 bits
on 6.3.
Can you do: ipa pwpolicy-show --user=it-rc-test-faculty
This will show the policy applied to that user.
Might also check /var/log/dirsrv/slapd-REALM/**errors for anything
suspicious.
rob
Many thanks,
-Brian
On Tue, Feb 26, 2013 at 3:22 AM, Martin Kosek mko...@redhat.com
mailto:mko...@redhat.com wrote:
On 02/25/2013 04:38 PM, Brian Smith wrote:
It seems that regardless of the global password expiry setting,
that setting a
password via the methods
user-add
passwd
i will always have a password that expires in 90 days. I
followed the
instructions here http://freeipa.org/page/**
PasswordSynchronization http://freeipa.org/page/PasswordSynchronization
to avoid the immediate expiry, but I need at least 180 days for my
configuration to work.
Any help would be appreciated!
--
Brian Smith
Assistant Director
Research Computing, University of South Florida
4202 E. Fowler Ave. SVC4010
Office Phone: +1 813 974-1467 tel:%2B1%20813%20974-1467
Organization URL: http://rc.usf.edu
Hello Brian,
Updating maximum password expiration time with ipa pwpolicy-mod
affects only
new passwords, i.e. password that you already changed will have the
old lifetime.
When I tested this on Fedora 18, password change worked for me:
# ipa pwpolicy-mod --maxlife 180
Group: global_policy
Max lifetime (days): 180
Min lifetime (hours): 1
History size: 0
Character classes: 0
Min length: 8
Max failures: 6
Failure reset interval: 60
Lockout duration: 600
# ipa user-add --first=Foo --last=Bar fbar
-
Added user fbar
-
User login: fbar
First name: Foo
Last name: Bar
Full name: Foo Bar
Display name: Foo Bar
Initials: FB
Home directory: /home/fbar
GECOS field: Foo Bar
Login shell: /bin/sh
Kerberos principal: f...@example.com mailto:f...@example.com
Email address: f...@example.com mailto:f...@example.com
UID: 175821
GID: 175821
Password: False
Member of groups: ipausers
Kerberos keys available: False
# ipa passwd fbar
New Password:
Enter New Password again to verify:
--**-
Changed password for f...@example.com mailto:f...@example.com
--**-
$ ssh f
Re: [Freeipa-users] JSON-RPC documentation?
These posts have all been really helpful (especially -vv... its mostly
trivial to translate to JSON from the XML). Thanks a lot for the
suggestions!
I do have one question that might be a new thread, but for me its related.
I've added a service account user to the passSyncManagersDNs multi-valued
list to avoid the initial account expiration, but it seems to put a 3 month
expiration on the account despite the fact that my global password policy
is 180 days. Anyone know what gives?
Thanks again!
-Brian
On Tue, Jan 15, 2013 at 6:55 AM, Petr Vobornik pvobo...@redhat.com wrote:
Spying Web UI might be another way how to learn the API.
Web UI uses JSON interface for everything it does. You can open developer
tools in Chrome (hit F12) and watch communication (network tab). Do
something and then look for requests named 'json' a inspect the request
payload.
To inspect the API alone you can go through metadata (in console tab)
which are stored in IPA.metadata object but I guess inspecting python code
might be easier.
HTH
On 01/15/2013 03:55 AM, Brian Smith wrote:
That helps a lot. Thanks! I would use ipalib, but I'm developing a Rails
application, so the JSON interface is the quickest (and since XML may be
deprecated) best way forward (unless you know a way to use it in Ruby :).
I'm guessing in JSON, the structure would look something like this:
{
method: user_add,
params: [
[],
{
uid:testuser,
givenname:Test,
sn:User,
userpassword:**mySecretPasswordBlahBlah
...
}
]
}
Maybe I'll try to compile some documentation. I know that this page
helped
a lot, to cook up a quick ruby client with Curb:
http://adam.younglogic.com/**2010/07/talking-to-freeipa-**
json-web-api-via-curl/http://adam.younglogic.com/2010/07/talking-to-freeipa-json-web-api-via-curl/
On Mon, Jan 14, 2013 at 9:35 PM, Rob Crittenden rcrit...@redhat.com
wrote:
Dmitri Pal wrote:
On 01/14/2013 08:16 PM, Brian Smith wrote:
Before I pester the dev list, I was wondering if anyone here could
point me to documentation on the JSON-RPC interface to FreeIPA. I'm
not doing anything fancy, just adding users and updating passwords, so
my requirements are pretty tame. I've gone through the Python code
and have somewhat pieced it together myself, but would be more
comfortable if there were official docs.
I do not remember us having documentation about XML-RPC but I will
check.
We are actually debating deprecating XML-RPC over time in favor of JSON.
There is no official documentation on either XML-RPC or JSON. The format
is rather straightforward once you get the hang of things. Each command
is
effectively an RPC function (e.g ipa user-add - user_add). The arguments
consist of positional arguments followed by named arguments (there is
usually only one positional arg).
For XML-RPC it is generally fairly easy to work out what it's doing by
adding -vv option to the command-line to see the raw request and
response.
I personally haven't done a lot of raw JSON work.
The final option is to skip all that and use the ipalib to do the work
for
you.
For example, to add a user you'd do something like:
from ipalib import api
from ipalib import errors
api.bootstrap(context='cli')
api.finalize()
api.Backend.xmlclient.connect()
try:
api.Command['user_add'](u'newuser',
loginshell=u'/bin/something',
givenname=u'New', sn=u'User')
except errors.DuplicateEntry:
print user already exists
else:
print user added
__**_
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/**mailman/listinfo/freeipa-usershttps://www.redhat.com/mailman/listinfo/freeipa-users
--
Petr Vobornik
--
Brian Smith
Assistant Director
Research Computing, University of South Florida
4202 E. Fowler Ave. SVC4010
Office Phone: +1 813 974-1467
Organization URL: http://rc.usf.edu
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] JSON-RPC documentation?
Before I pester the dev list, I was wondering if anyone here could point me to documentation on the JSON-RPC interface to FreeIPA. I'm not doing anything fancy, just adding users and updating passwords, so my requirements are pretty tame. I've gone through the Python code and have somewhat pieced it together myself, but would be more comfortable if there were official docs. Thanks, -- Brian Smith Assistant Director Research Computing, University of South Florida 4202 E. Fowler Ave. SVC4010 Office Phone: +1 813 974-1467 Organization URL: http://rc.usf.edu ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] JSON-RPC documentation?
That helps a lot. Thanks! I would use ipalib, but I'm developing a Rails
application, so the JSON interface is the quickest (and since XML may be
deprecated) best way forward (unless you know a way to use it in Ruby :).
I'm guessing in JSON, the structure would look something like this:
{
method: user_add,
params: [
[],
{
uid:testuser,
givenname:Test,
sn:User,
userpassword:mySecretPasswordBlahBlah
...
}
]
}
Maybe I'll try to compile some documentation. I know that this page helped
a lot, to cook up a quick ruby client with Curb:
http://adam.younglogic.com/2010/07/talking-to-freeipa-json-web-api-via-curl/
On Mon, Jan 14, 2013 at 9:35 PM, Rob Crittenden rcrit...@redhat.com wrote:
Dmitri Pal wrote:
On 01/14/2013 08:16 PM, Brian Smith wrote:
Before I pester the dev list, I was wondering if anyone here could
point me to documentation on the JSON-RPC interface to FreeIPA. I'm
not doing anything fancy, just adding users and updating passwords, so
my requirements are pretty tame. I've gone through the Python code
and have somewhat pieced it together myself, but would be more
comfortable if there were official docs.
I do not remember us having documentation about XML-RPC but I will
check.
We are actually debating deprecating XML-RPC over time in favor of JSON.
There is no official documentation on either XML-RPC or JSON. The format
is rather straightforward once you get the hang of things. Each command is
effectively an RPC function (e.g ipa user-add - user_add). The arguments
consist of positional arguments followed by named arguments (there is
usually only one positional arg).
For XML-RPC it is generally fairly easy to work out what it's doing by
adding -vv option to the command-line to see the raw request and response.
I personally haven't done a lot of raw JSON work.
The final option is to skip all that and use the ipalib to do the work for
you.
For example, to add a user you'd do something like:
from ipalib import api
from ipalib import errors
api.bootstrap(context='cli')
api.finalize()
api.Backend.xmlclient.connect(**)
try:
api.Command['user_add'](u'**newuser',
loginshell=u'/bin/something',
givenname=u'New', sn=u'User')
except errors.DuplicateEntry:
print user already exists
else:
print user added
__**_
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/**mailman/listinfo/freeipa-usershttps://www.redhat.com/mailman/listinfo/freeipa-users
--
Brian Smith
Assistant Director
Research Computing, University of South Florida
4202 E. Fowler Ave. SVC4010
Office Phone: +1 813 974-1467
Organization URL: http://rc.usf.edu
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
