Re: [Freeipa-users] Password expiry when account provisioned/updated via JSON RPC
I'm going to dig into it further, hopefully produce a patch in the next few days. My work-around for right now is ldapmodifying the krbPasswordExpiration attribute on the account after creation and subsequent password updates. On Wed, Mar 6, 2013 at 8:40 AM, Dmitri Pal d...@redhat.com wrote: On 03/05/2013 10:28 PM, Brian Smith wrote: I set the policy to 1 year and recreated the account. $ ipa pwpolicy-show --user=it-rc-test-faculty Group: global_policy Max lifetime (days): 365 Min lifetime (hours): 1 History size: 0 Character classes: 0 Min length: 8 Max failures: 10 Failure reset interval: 60 Lockout duration: 600 Looks like a bug was filed for this about 9 months ago: https://fedorahosted.org/freeipa/ticket/2795 I can also confirm the same behavior when the policy is set to 0 days, less than 90 days, or if I create a separate password policy for users in the ipausers group. The result is always 90 days. If the user updates the password themselves (after initial login) then the password policy works and sets the expiry accordingly. The user that is adding the users with userpasswd set appears in the passsyncmanagersdns list: passsyncmanagersdns: uid=rc-user-svcacct,cn=users,cn=accounts,dc=rc,dc=usf,dc=edu Can you work around this issue? While it was filed 9 months ago it was found to not be that critical so we deferred it till later time. Patches are always welcome too :-) On Mon, Mar 4, 2013 at 2:40 PM, Rob Crittenden rcrit...@redhat.comwrote: Brian Smith wrote: Thanks for your response, and sorry for my late response. I'm on RHEL6, using the packages from the distribution repository, ipa-server-2.2.0-17.el6_3.1.x86_64 My pwpolicy is set as such (in testing): $ ipa pwpolicy-show --all dn: cn=global_policy,cn=rc.usf.edu http://rc.usf.edu,cn=kerberos,dc=rc,dc=usf,dc=edu Group: global_policy Max lifetime (days): 365 Min lifetime (hours): 1 History size: 0 Character classes: 0 Min length: 8 Max failures: 10 Failure reset interval: 60 Lockout duration: 600 objectclass: top, nsContainer, krbPwdPolicy If I create an account and set the password using the following JSON string, against $server/ipa/json, say today, { method:user_add, params:[ [], { uid:it-rc-test-faculty, homedirectory:/home/i/it-rc-test-faculty, userpassword:MyPasswordInTheClear, givenname:RC TEST - Faculty, sn:Service_Account }] } I get a password expiry time like so: $ ipa user-show --all it-rc-test-faculty | grep krbpasswordexpiration krbpasswordexpiration: 20130602163523Z That's clearly not one year into the future, but more like 90 days. Is there something else I'm missing or are we looking at a bug? I still can't reproduce this. I tried from our 3.x branch and the 2.2 bits on 6.3. Can you do: ipa pwpolicy-show --user=it-rc-test-faculty This will show the policy applied to that user. Might also check /var/log/dirsrv/slapd-REALM/errors for anything suspicious. rob Many thanks, -Brian On Tue, Feb 26, 2013 at 3:22 AM, Martin Kosek mko...@redhat.com mailto:mko...@redhat.com wrote: On 02/25/2013 04:38 PM, Brian Smith wrote: It seems that regardless of the global password expiry setting, that setting a password via the methods user-add passwd i will always have a password that expires in 90 days. I followed the instructions here http://freeipa.org/page/PasswordSynchronization to avoid the immediate expiry, but I need at least 180 days for my configuration to work. Any help would be appreciated! -- Brian Smith Assistant Director Research Computing, University of South Florida 4202 E. Fowler Ave. SVC4010 Office Phone: +1 813 974-1467 tel:%2B1%20813%20974-1467 Organization URL: http://rc.usf.edu Hello Brian, Updating maximum password expiration time with ipa pwpolicy-mod affects only new passwords, i.e. password that you already changed will have the old lifetime. When I tested this on Fedora 18, password change worked for me: # ipa pwpolicy-mod --maxlife 180 Group: global_policy Max lifetime (days): 180 Min lifetime (hours): 1 History size: 0 Character classes: 0 Min length: 8 Max failures: 6 Failure reset interval: 60 Lockout duration: 600 # ipa user-add --first=Foo --last=Bar fbar - Added user fbar - User login: fbar First name: Foo Last name: Bar Full name: Foo Bar Display name: Foo Bar Initials: FB Home directory: /home/fbar GECOS field: Foo Bar Login shell: /bin/sh Kerberos principal: f...@example.com mailto:f
Re: [Freeipa-users] Password expiry when account provisioned/updated via JSON RPC
I set the policy to 1 year and recreated the account. $ ipa pwpolicy-show --user=it-rc-test-faculty Group: global_policy Max lifetime (days): 365 Min lifetime (hours): 1 History size: 0 Character classes: 0 Min length: 8 Max failures: 10 Failure reset interval: 60 Lockout duration: 600 Looks like a bug was filed for this about 9 months ago: https://fedorahosted.org/freeipa/ticket/2795 I can also confirm the same behavior when the policy is set to 0 days, less than 90 days, or if I create a separate password policy for users in the ipausers group. The result is always 90 days. If the user updates the password themselves (after initial login) then the password policy works and sets the expiry accordingly. The user that is adding the users with userpasswd set appears in the passsyncmanagersdns list: passsyncmanagersdns: uid=rc-user-svcacct,cn=users,cn=accounts,dc=rc,dc=usf,dc=edu On Mon, Mar 4, 2013 at 2:40 PM, Rob Crittenden rcrit...@redhat.com wrote: Brian Smith wrote: Thanks for your response, and sorry for my late response. I'm on RHEL6, using the packages from the distribution repository, ipa-server-2.2.0-17.el6_3.1.**x86_64 My pwpolicy is set as such (in testing): $ ipa pwpolicy-show --all dn: cn=global_policy,cn=rc.usf.edu http://rc.usf.edu,cn=**kerberos,dc=rc,dc=usf,dc=edu Group: global_policy Max lifetime (days): 365 Min lifetime (hours): 1 History size: 0 Character classes: 0 Min length: 8 Max failures: 10 Failure reset interval: 60 Lockout duration: 600 objectclass: top, nsContainer, krbPwdPolicy If I create an account and set the password using the following JSON string, against $server/ipa/json, say today, { method:user_add, params:[ [], { uid:it-rc-test-faculty, homedirectory:/home/i/it-**rc-test-faculty, userpassword:**MyPasswordInTheClear, givenname:RC TEST - Faculty, sn:Service_Account }] } I get a password expiry time like so: $ ipa user-show --all it-rc-test-faculty | grep krbpasswordexpiration krbpasswordexpiration: 20130602163523Z That's clearly not one year into the future, but more like 90 days. Is there something else I'm missing or are we looking at a bug? I still can't reproduce this. I tried from our 3.x branch and the 2.2 bits on 6.3. Can you do: ipa pwpolicy-show --user=it-rc-test-faculty This will show the policy applied to that user. Might also check /var/log/dirsrv/slapd-REALM/**errors for anything suspicious. rob Many thanks, -Brian On Tue, Feb 26, 2013 at 3:22 AM, Martin Kosek mko...@redhat.com mailto:mko...@redhat.com wrote: On 02/25/2013 04:38 PM, Brian Smith wrote: It seems that regardless of the global password expiry setting, that setting a password via the methods user-add passwd i will always have a password that expires in 90 days. I followed the instructions here http://freeipa.org/page/** PasswordSynchronization http://freeipa.org/page/PasswordSynchronization to avoid the immediate expiry, but I need at least 180 days for my configuration to work. Any help would be appreciated! -- Brian Smith Assistant Director Research Computing, University of South Florida 4202 E. Fowler Ave. SVC4010 Office Phone: +1 813 974-1467 tel:%2B1%20813%20974-1467 Organization URL: http://rc.usf.edu Hello Brian, Updating maximum password expiration time with ipa pwpolicy-mod affects only new passwords, i.e. password that you already changed will have the old lifetime. When I tested this on Fedora 18, password change worked for me: # ipa pwpolicy-mod --maxlife 180 Group: global_policy Max lifetime (days): 180 Min lifetime (hours): 1 History size: 0 Character classes: 0 Min length: 8 Max failures: 6 Failure reset interval: 60 Lockout duration: 600 # ipa user-add --first=Foo --last=Bar fbar - Added user fbar - User login: fbar First name: Foo Last name: Bar Full name: Foo Bar Display name: Foo Bar Initials: FB Home directory: /home/fbar GECOS field: Foo Bar Login shell: /bin/sh Kerberos principal: f...@example.com mailto:f...@example.com Email address: f...@example.com mailto:f...@example.com UID: 175821 GID: 175821 Password: False Member of groups: ipausers Kerberos keys available: False # ipa passwd fbar New Password: Enter New Password again to verify: --**- Changed password for f...@example.com mailto:f...@example.com --**- $ ssh f
Re: [Freeipa-users] JSON-RPC documentation?
These posts have all been really helpful (especially -vv... its mostly trivial to translate to JSON from the XML). Thanks a lot for the suggestions! I do have one question that might be a new thread, but for me its related. I've added a service account user to the passSyncManagersDNs multi-valued list to avoid the initial account expiration, but it seems to put a 3 month expiration on the account despite the fact that my global password policy is 180 days. Anyone know what gives? Thanks again! -Brian On Tue, Jan 15, 2013 at 6:55 AM, Petr Vobornik pvobo...@redhat.com wrote: Spying Web UI might be another way how to learn the API. Web UI uses JSON interface for everything it does. You can open developer tools in Chrome (hit F12) and watch communication (network tab). Do something and then look for requests named 'json' a inspect the request payload. To inspect the API alone you can go through metadata (in console tab) which are stored in IPA.metadata object but I guess inspecting python code might be easier. HTH On 01/15/2013 03:55 AM, Brian Smith wrote: That helps a lot. Thanks! I would use ipalib, but I'm developing a Rails application, so the JSON interface is the quickest (and since XML may be deprecated) best way forward (unless you know a way to use it in Ruby :). I'm guessing in JSON, the structure would look something like this: { method: user_add, params: [ [], { uid:testuser, givenname:Test, sn:User, userpassword:**mySecretPasswordBlahBlah ... } ] } Maybe I'll try to compile some documentation. I know that this page helped a lot, to cook up a quick ruby client with Curb: http://adam.younglogic.com/**2010/07/talking-to-freeipa-** json-web-api-via-curl/http://adam.younglogic.com/2010/07/talking-to-freeipa-json-web-api-via-curl/ On Mon, Jan 14, 2013 at 9:35 PM, Rob Crittenden rcrit...@redhat.com wrote: Dmitri Pal wrote: On 01/14/2013 08:16 PM, Brian Smith wrote: Before I pester the dev list, I was wondering if anyone here could point me to documentation on the JSON-RPC interface to FreeIPA. I'm not doing anything fancy, just adding users and updating passwords, so my requirements are pretty tame. I've gone through the Python code and have somewhat pieced it together myself, but would be more comfortable if there were official docs. I do not remember us having documentation about XML-RPC but I will check. We are actually debating deprecating XML-RPC over time in favor of JSON. There is no official documentation on either XML-RPC or JSON. The format is rather straightforward once you get the hang of things. Each command is effectively an RPC function (e.g ipa user-add - user_add). The arguments consist of positional arguments followed by named arguments (there is usually only one positional arg). For XML-RPC it is generally fairly easy to work out what it's doing by adding -vv option to the command-line to see the raw request and response. I personally haven't done a lot of raw JSON work. The final option is to skip all that and use the ipalib to do the work for you. For example, to add a user you'd do something like: from ipalib import api from ipalib import errors api.bootstrap(context='cli') api.finalize() api.Backend.xmlclient.connect() try: api.Command['user_add'](u'newuser', loginshell=u'/bin/something', givenname=u'New', sn=u'User') except errors.DuplicateEntry: print user already exists else: print user added __**_ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/**mailman/listinfo/freeipa-usershttps://www.redhat.com/mailman/listinfo/freeipa-users -- Petr Vobornik -- Brian Smith Assistant Director Research Computing, University of South Florida 4202 E. Fowler Ave. SVC4010 Office Phone: +1 813 974-1467 Organization URL: http://rc.usf.edu ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] JSON-RPC documentation?
Before I pester the dev list, I was wondering if anyone here could point me to documentation on the JSON-RPC interface to FreeIPA. I'm not doing anything fancy, just adding users and updating passwords, so my requirements are pretty tame. I've gone through the Python code and have somewhat pieced it together myself, but would be more comfortable if there were official docs. Thanks, -- Brian Smith Assistant Director Research Computing, University of South Florida 4202 E. Fowler Ave. SVC4010 Office Phone: +1 813 974-1467 Organization URL: http://rc.usf.edu ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] JSON-RPC documentation?
That helps a lot. Thanks! I would use ipalib, but I'm developing a Rails application, so the JSON interface is the quickest (and since XML may be deprecated) best way forward (unless you know a way to use it in Ruby :). I'm guessing in JSON, the structure would look something like this: { method: user_add, params: [ [], { uid:testuser, givenname:Test, sn:User, userpassword:mySecretPasswordBlahBlah ... } ] } Maybe I'll try to compile some documentation. I know that this page helped a lot, to cook up a quick ruby client with Curb: http://adam.younglogic.com/2010/07/talking-to-freeipa-json-web-api-via-curl/ On Mon, Jan 14, 2013 at 9:35 PM, Rob Crittenden rcrit...@redhat.com wrote: Dmitri Pal wrote: On 01/14/2013 08:16 PM, Brian Smith wrote: Before I pester the dev list, I was wondering if anyone here could point me to documentation on the JSON-RPC interface to FreeIPA. I'm not doing anything fancy, just adding users and updating passwords, so my requirements are pretty tame. I've gone through the Python code and have somewhat pieced it together myself, but would be more comfortable if there were official docs. I do not remember us having documentation about XML-RPC but I will check. We are actually debating deprecating XML-RPC over time in favor of JSON. There is no official documentation on either XML-RPC or JSON. The format is rather straightforward once you get the hang of things. Each command is effectively an RPC function (e.g ipa user-add - user_add). The arguments consist of positional arguments followed by named arguments (there is usually only one positional arg). For XML-RPC it is generally fairly easy to work out what it's doing by adding -vv option to the command-line to see the raw request and response. I personally haven't done a lot of raw JSON work. The final option is to skip all that and use the ipalib to do the work for you. For example, to add a user you'd do something like: from ipalib import api from ipalib import errors api.bootstrap(context='cli') api.finalize() api.Backend.xmlclient.connect(**) try: api.Command['user_add'](u'**newuser', loginshell=u'/bin/something', givenname=u'New', sn=u'User') except errors.DuplicateEntry: print user already exists else: print user added __**_ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/**mailman/listinfo/freeipa-usershttps://www.redhat.com/mailman/listinfo/freeipa-users -- Brian Smith Assistant Director Research Computing, University of South Florida 4202 E. Fowler Ave. SVC4010 Office Phone: +1 813 974-1467 Organization URL: http://rc.usf.edu ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users