Re: [Freeipa-users] How to implement password expiration notifications?
On Thu, 09 Jun 2016, Anthony Messina wrote: On Wednesday, June 08, 2016 03:17:28 PM Eivind Olsen wrote: Now I guess the next step is figuring out how to tell "ldapsearch" to work with gssproxy (unless I've made some other glaring mistake In your script... export GSS_USE_PROXY="yes" ldapsearch -Y GSSAPI ... And it should be client_keytab, not just keytab in gssproxy config, I think. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] How to implement password expiration notifications?
On Wednesday, June 08, 2016 03:17:28 PM Eivind Olsen wrote: > Now I guess the next step is figuring out how to tell "ldapsearch" to > work with gssproxy (unless I've made some other glaring mistake In your script... export GSS_USE_PROXY="yes" ldapsearch -Y GSSAPI ... -- Anthony - https://messinet.com/ - https://messinet.com/~amessina/gallery F9B6 560E 68EA 037D 8C3D D1C9 FF31 3BDB D9D8 99B6 signature.asc Description: This is a digitally signed message part. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] How to implement password expiration notifications?
Den 2016-06-08 14:00, skrev Alexander Bokovoy: Make a service (ipa service-add), download a keytab with the key for this service and use gss-proxy to provide refreshing credentials based on the keytab to a script that runs periodically. Hm. I like that idea, now I just need to actually make it work here :) I have done: ipa service-add PWDREMIND/script.host.fqdn ipa-getkeytab -s script.host.fqdn -k /etc/gssproxy/pwdremind.keytab -p PWDREMIND/script.host.fqdn ...and I have a file /etc/gssproxy/pwdremind.keytab I added a section to /etc/gssproxy/gssproxy.conf : [service/PWDREMIND] mechs = krb5 cred_store = keytab:/etc/gssproxy/pwdremind.keytab cred_store = ccache:/var/lib/gssproxy/clients/krb5cc_%U euid = 0 I guess I could run the password reminder script as another user in cron and change the euid line above accordingly. Now I guess the next step is figuring out how to tell "ldapsearch" to work with gssproxy (unless I've made some other glaring mistake already). Regards Eivind Olsen -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] How to implement password expiration notifications?
On Wed, 08 Jun 2016, Eivind Olsen wrote: We have previously used a script to send "password expiration" reminders to our users. The script did this by doing LDAP search and checking krbLastPwdChange and krbPasswordExpiration. This seems to have stopped working, possibly a while ago. It now looks like the script is unable to match anything with the following filter: "(&(!(nsAccountLock=TRUE))(krbLastPwdChange<=$(date +%Y%m%d --date='-1 week')00Z)(krbPasswordExpiration<=$(date +%Y%m%d --date='+1 week')00Z))" ...that is, unless I run it manually and tell ldapsearch I want to use GSSAPI. No, you need to be authenticated, no matter how. Anonymous connections don't have access to majority of attributes in FreeIPA 4.x+. What's the best / proper way of implementing something like this on a more recent IPA (say, running on RHEL 7.2 with IPA 4.2.0) ? I see some possible methods but none of these feel "right": Make a service (ipa service-add), download a keytab with the key for this service and use gss-proxy to provide refreshing credentials based on the keytab to a script that runs periodically. * I can hardcode an admin user + password in the script, and have it run "kinit" * I can create a keytab file for a user and use that * I can modify ACL/ACIs in 389ds Am I overlooking a nice and obvious solution? :) Your 'keytab' solution should be OK but I strongly suggest you to use service, not user here. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] How to implement password expiration notifications?
We have previously used a script to send "password expiration" reminders to our users. The script did this by doing LDAP search and checking krbLastPwdChange and krbPasswordExpiration. This seems to have stopped working, possibly a while ago. It now looks like the script is unable to match anything with the following filter: "(&(!(nsAccountLock=TRUE))(krbLastPwdChange<=$(date +%Y%m%d --date='-1 week')00Z)(krbPasswordExpiration<=$(date +%Y%m%d --date='+1 week')00Z))" ...that is, unless I run it manually and tell ldapsearch I want to use GSSAPI. What's the best / proper way of implementing something like this on a more recent IPA (say, running on RHEL 7.2 with IPA 4.2.0) ? I see some possible methods but none of these feel "right": * I can hardcode an admin user + password in the script, and have it run "kinit" * I can create a keytab file for a user and use that * I can modify ACL/ACIs in 389ds Am I overlooking a nice and obvious solution? :) Regards Eivind Olsen -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project