Re: [Freeipa-users] External Self Help Suggestions.
On 05/14/2015 07:09 PM, William Graboyes wrote: Hi Dmitri, No I am sticking to the 90 day, gotta start the change in the right direction somewhere :). So I am trying out LBT Self service password, and I am wondering if there is documentation anywhere on how to create a service style account that has the ability to change a password without forcing the user to reset thier password on next login. This would be for if a user forgets thier password and uses a mail token style auth. Sorry for a delay I know there is a way to create such an account. It is not exposed in the UI Here is the ticket to do it in UI/CLI https://fedorahosted.org/freeipa/ticket/2801 But I do not remember the procedure of top of my head. It might be found in the archives as it was explained couple times in the past. Thanks, Bill On 5/13/15 5:28 PM, Dmitri Pal wrote: On 05/13/2015 08:18 PM, William Graboyes wrote: Hi Dmitri, That is quite a bucket of stuff... On the CA-less install, basically I don't want to have my users change their passwords again (they are complaining about the every 90 day password rotation policy), we do not have an internal CA, most of our "desk top support" folks don't even have access to all of the desktops in the place. Like I said this place is mind bending when it comes to standard practices. The CA-less would be good if it were possible to make that change in place, or make the change by standing up a new IPA server and having the ability to import the current data set. I was looking at PWM, and may try to get that implemented. Another option is to reset expiration time in the user entry and set it some date close to 2038 which is the end of the 32-bit time. If the problem is 90 day policy you can just change the policy to be 5000 days and then next time people change password they would not be bother for another 5000 days or so (make sure it does not roll over). For people that already have 90 days in their entry you can run a script once and move the date into the future. People have done it for the same reason and in the same way. Thanks, Bill On 5/13/15 5:00 PM, Dmitri Pal wrote: On 05/13/2015 07:40 PM, William Graboyes wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi List, I am trying to figure out a method of allowing users who do not have shell access to change their own passwords. The GUI that comes with FreeIPA is out of the question due to the untrusted CA (yes I know we are a strange shop, there is nothing I can do about it, and you would want to gouge you eyes out if I told you the full story) becoming a "Bad habit forming" method of changing one's password. I have been looking around for about a week now, and am somewhat lost and perplexed. The old documentation for FreeIPA basically says that it is not a good idea to manipulate the password directly in LDAP (and even then finding what hash is being used has been next to impossible). So the question is this, does anyone know of any tools out there that can happily, or even with some modification, allow me to set up a trusted external ssl site that allows users to change their passwords. There is no external password reset self service in IPA yet. We will be starting to look into this effort during summer. Take a look at the bucket of tickets in the "FreeIPA Community Portal Release" here https://fedorahosted.org/freeipa/report/3. What prevents you from making IPA trusted? You can chain IPA to your CA or use it CA-less with certs from your own CA. Then UI would be an option I assume. Other option is https://code.google.com/p/pwm/ Thanks, Bill -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJVU+DdAAoJEJFMz73A1+zryTIP/1dLBYfMwSNkvICW8PToUkD6 MCQQt+yGblI2gqZiVm2NCHD4Lto4sDUJSdnQF++kcuCTd0u4P5twFR/LejIAa/Jc bKCO7XSmfBEh/+ArVeUBSsoBec2V0h6x3i98mChD55DzuRJj4HiIxGgM1KdeAgaV UdwI9wQEKOUCyHZyDVdEk/g+X1QMnNBPUXhdEiHtAkbqkxSan01iw2k1mGjfIOWU NfOThdj7K9vE18YIKuJ7L/uztvNyAaj+ZsR1uKayYxlpgMalUJDHW1u3gX2MPELm zpDWVj7mR0iZ78AJlSG0J7+ughBMq5jarlzdCYTHmFqe0dszmafDAdxIBKmWw+IW /BXIMDTR/CjoPW4D65fewEcqIVrODDft6GNDg7aYa0dF8eiOjQM3wNUVjmgBESBK ztcGuFID+bl96+GABuSo9OFS36/dKskhGK125gvpEgU8pWM4+POQDtWlHjFHw5Ml 1ZCZHxrQOp/drolh50uMTl6QrZSKt0U3Kikw+zzj5itAEtbhVrnfw7nvJHlhPsy/ 7CG2WMv/iwXzif+ogSN6ClkOxSTqHftS2BW9uMP7meLNK0tRiCtTVSXSXIizTR96 ZbCb9zbETfHYj2KE3nLeKAeycaN15+8NK1YgVYEh+ZqbsgdFgD6src6X/NP3v3dX kzyr3+tqYdDbgibcYyhd =5KCr -END PGP SIGNATURE- -- Thank you, Dmitri Pal Director of Engineering for IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] External Self Help Suggestions.
Hi Dmitri, No I am sticking to the 90 day, gotta start the change in the right direction somewhere :). So I am trying out LBT Self service password, and I am wondering if there is documentation anywhere on how to create a service style account that has the ability to change a password without forcing the user to reset thier password on next login. This would be for if a user forgets thier password and uses a mail token style auth. Thanks, Bill On 5/13/15 5:28 PM, Dmitri Pal wrote: > On 05/13/2015 08:18 PM, William Graboyes wrote: > > Hi Dmitri, > > > > That is quite a bucket of stuff... On the CA-less install, basically I > > don't want to have my users change their passwords again (they are > > complaining about the every 90 day password rotation policy), we do > > not have an internal CA, most of our "desk top support" folks don't > > even have access to all of the desktops in the place. Like I said > > this place is mind bending when it comes to standard practices. The > > CA-less would be good if it were possible to make that change in > > place, or make the change by standing up a new IPA server and having > > the ability to import the current data set. > > > > I was looking at PWM, and may try to get that implemented. > > Another option is to reset expiration time in the user entry and set it > some date close to 2038 which is the end of the 32-bit time. > If the problem is 90 day policy you can just change the policy to be > 5000 days and then next time people change password they would not be > bother for another 5000 days or so (make sure it does not roll over). > For people that already have 90 days in their entry you can run a script > once and move the date into the future. > > People have done it for the same reason and in the same way. > > > > > Thanks, > > Bill > > > > On 5/13/15 5:00 PM, Dmitri Pal wrote: > >> On 05/13/2015 07:40 PM, William Graboyes wrote: > >>> -BEGIN PGP SIGNED MESSAGE- > >>> Hash: SHA512 > >>> > >>> Hi List, > >>> > >>> I am trying to figure out a method of allowing users who do not have > >>> shell access to change their own passwords. The GUI that comes with > >>> FreeIPA is out of the question due to the untrusted CA (yes I know we > >>> are a strange shop, there is nothing I can do about it, and you would > >>> want to gouge you eyes out if I told you the full story) becoming a > >>> "Bad habit forming" method of changing one's password. I have been > >>> looking around for about a week now, and am somewhat lost and > >>> perplexed. The old documentation for FreeIPA basically says that it is > >>> not a good idea to manipulate the password directly in LDAP (and even > >>> then finding what hash is being used has been next to impossible). > >>> > >>> So the question is this, does anyone know of any tools out there that > >>> can happily, or even with some modification, allow me to set up a > >>> trusted external ssl site that allows users to change their passwords. > >> There is no external password reset self service in IPA yet. We will be > >> starting to look into this effort during summer. > >> Take a look at the bucket of tickets in the "FreeIPA Community Portal > >> Release" here https://fedorahosted.org/freeipa/report/3. > >> > >> What prevents you from making IPA trusted? You can chain IPA to your CA > >> or use it CA-less with certs from your own CA. > >> Then UI would be an option I assume. > >> > >> Other option is https://code.google.com/p/pwm/ > >> > >>> Thanks, > >>> Bill > >>> -BEGIN PGP SIGNATURE- > >>> Version: GnuPG/MacGPG2 v2.0.22 (Darwin) > >>> Comment: GPGTools - https://gpgtools.org > >>> > >>> iQIcBAEBCgAGBQJVU+DdAAoJEJFMz73A1+zryTIP/1dLBYfMwSNkvICW8PToUkD6 > >>> MCQQt+yGblI2gqZiVm2NCHD4Lto4sDUJSdnQF++kcuCTd0u4P5twFR/LejIAa/Jc > >>> bKCO7XSmfBEh/+ArVeUBSsoBec2V0h6x3i98mChD55DzuRJj4HiIxGgM1KdeAgaV > >>> UdwI9wQEKOUCyHZyDVdEk/g+X1QMnNBPUXhdEiHtAkbqkxSan01iw2k1mGjfIOWU > >>> NfOThdj7K9vE18YIKuJ7L/uztvNyAaj+ZsR1uKayYxlpgMalUJDHW1u3gX2MPELm > >>> zpDWVj7mR0iZ78AJlSG0J7+ughBMq5jarlzdCYTHmFqe0dszmafDAdxIBKmWw+IW > >>> /BXIMDTR/CjoPW4D65fewEcqIVrODDft6GNDg7aYa0dF8eiOjQM3wNUVjmgBESBK > >>> ztcGuFID+bl96+GABuSo9OFS36/dKskhGK125gvpEgU8pWM4+POQDtWlHjFHw5Ml > >>> 1ZCZHxrQOp/drolh50uMTl6QrZSKt0U3Kikw+zzj5itAEtbhVrnfw7nvJHlhPsy/ > >>> 7CG2WMv/iwXzif+ogSN6ClkOxSTqHftS2BW9uMP7meLNK0tRiCtTVSXSXIizTR96 > >>> ZbCb9zbETfHYj2KE3nLeKAeycaN15+8NK1YgVYEh+ZqbsgdFgD6src6X/NP3v3dX > >>> kzyr3+tqYdDbgibcYyhd > >>> =5KCr > >>> -END PGP SIGNATURE- > >>> > >> > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] External Self Help Suggestions.
On 05/13/2015 08:18 PM, William Graboyes wrote: Hi Dmitri, That is quite a bucket of stuff... On the CA-less install, basically I don't want to have my users change their passwords again (they are complaining about the every 90 day password rotation policy), we do not have an internal CA, most of our "desk top support" folks don't even have access to all of the desktops in the place. Like I said this place is mind bending when it comes to standard practices. The CA-less would be good if it were possible to make that change in place, or make the change by standing up a new IPA server and having the ability to import the current data set. I was looking at PWM, and may try to get that implemented. Another option is to reset expiration time in the user entry and set it some date close to 2038 which is the end of the 32-bit time. If the problem is 90 day policy you can just change the policy to be 5000 days and then next time people change password they would not be bother for another 5000 days or so (make sure it does not roll over). For people that already have 90 days in their entry you can run a script once and move the date into the future. People have done it for the same reason and in the same way. Thanks, Bill On 5/13/15 5:00 PM, Dmitri Pal wrote: On 05/13/2015 07:40 PM, William Graboyes wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi List, I am trying to figure out a method of allowing users who do not have shell access to change their own passwords. The GUI that comes with FreeIPA is out of the question due to the untrusted CA (yes I know we are a strange shop, there is nothing I can do about it, and you would want to gouge you eyes out if I told you the full story) becoming a "Bad habit forming" method of changing one's password. I have been looking around for about a week now, and am somewhat lost and perplexed. The old documentation for FreeIPA basically says that it is not a good idea to manipulate the password directly in LDAP (and even then finding what hash is being used has been next to impossible). So the question is this, does anyone know of any tools out there that can happily, or even with some modification, allow me to set up a trusted external ssl site that allows users to change their passwords. There is no external password reset self service in IPA yet. We will be starting to look into this effort during summer. Take a look at the bucket of tickets in the "FreeIPA Community Portal Release" here https://fedorahosted.org/freeipa/report/3. What prevents you from making IPA trusted? You can chain IPA to your CA or use it CA-less with certs from your own CA. Then UI would be an option I assume. Other option is https://code.google.com/p/pwm/ Thanks, Bill -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJVU+DdAAoJEJFMz73A1+zryTIP/1dLBYfMwSNkvICW8PToUkD6 MCQQt+yGblI2gqZiVm2NCHD4Lto4sDUJSdnQF++kcuCTd0u4P5twFR/LejIAa/Jc bKCO7XSmfBEh/+ArVeUBSsoBec2V0h6x3i98mChD55DzuRJj4HiIxGgM1KdeAgaV UdwI9wQEKOUCyHZyDVdEk/g+X1QMnNBPUXhdEiHtAkbqkxSan01iw2k1mGjfIOWU NfOThdj7K9vE18YIKuJ7L/uztvNyAaj+ZsR1uKayYxlpgMalUJDHW1u3gX2MPELm zpDWVj7mR0iZ78AJlSG0J7+ughBMq5jarlzdCYTHmFqe0dszmafDAdxIBKmWw+IW /BXIMDTR/CjoPW4D65fewEcqIVrODDft6GNDg7aYa0dF8eiOjQM3wNUVjmgBESBK ztcGuFID+bl96+GABuSo9OFS36/dKskhGK125gvpEgU8pWM4+POQDtWlHjFHw5Ml 1ZCZHxrQOp/drolh50uMTl6QrZSKt0U3Kikw+zzj5itAEtbhVrnfw7nvJHlhPsy/ 7CG2WMv/iwXzif+ogSN6ClkOxSTqHftS2BW9uMP7meLNK0tRiCtTVSXSXIizTR96 ZbCb9zbETfHYj2KE3nLeKAeycaN15+8NK1YgVYEh+ZqbsgdFgD6src6X/NP3v3dX kzyr3+tqYdDbgibcYyhd =5KCr -END PGP SIGNATURE- -- Thank you, Dmitri Pal Director of Engineering for IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] External Self Help Suggestions.
Hi Dmitri, That is quite a bucket of stuff... On the CA-less install, basically I don't want to have my users change their passwords again (they are complaining about the every 90 day password rotation policy), we do not have an internal CA, most of our "desk top support" folks don't even have access to all of the desktops in the place. Like I said this place is mind bending when it comes to standard practices. The CA-less would be good if it were possible to make that change in place, or make the change by standing up a new IPA server and having the ability to import the current data set. I was looking at PWM, and may try to get that implemented. Thanks, Bill On 5/13/15 5:00 PM, Dmitri Pal wrote: > On 05/13/2015 07:40 PM, William Graboyes wrote: > > -BEGIN PGP SIGNED MESSAGE- > > Hash: SHA512 > > > > Hi List, > > > > I am trying to figure out a method of allowing users who do not have > > shell access to change their own passwords. The GUI that comes with > > FreeIPA is out of the question due to the untrusted CA (yes I know we > > are a strange shop, there is nothing I can do about it, and you would > > want to gouge you eyes out if I told you the full story) becoming a > > "Bad habit forming" method of changing one's password. I have been > > looking around for about a week now, and am somewhat lost and > > perplexed. The old documentation for FreeIPA basically says that it is > > not a good idea to manipulate the password directly in LDAP (and even > > then finding what hash is being used has been next to impossible). > > > > So the question is this, does anyone know of any tools out there that > > can happily, or even with some modification, allow me to set up a > > trusted external ssl site that allows users to change their passwords. > > There is no external password reset self service in IPA yet. We will be > starting to look into this effort during summer. > Take a look at the bucket of tickets in the "FreeIPA Community Portal > Release" here https://fedorahosted.org/freeipa/report/3. > > What prevents you from making IPA trusted? You can chain IPA to your CA > or use it CA-less with certs from your own CA. > Then UI would be an option I assume. > > Other option is https://code.google.com/p/pwm/ > > > > > Thanks, > > Bill > > -BEGIN PGP SIGNATURE- > > Version: GnuPG/MacGPG2 v2.0.22 (Darwin) > > Comment: GPGTools - https://gpgtools.org > > > > iQIcBAEBCgAGBQJVU+DdAAoJEJFMz73A1+zryTIP/1dLBYfMwSNkvICW8PToUkD6 > > MCQQt+yGblI2gqZiVm2NCHD4Lto4sDUJSdnQF++kcuCTd0u4P5twFR/LejIAa/Jc > > bKCO7XSmfBEh/+ArVeUBSsoBec2V0h6x3i98mChD55DzuRJj4HiIxGgM1KdeAgaV > > UdwI9wQEKOUCyHZyDVdEk/g+X1QMnNBPUXhdEiHtAkbqkxSan01iw2k1mGjfIOWU > > NfOThdj7K9vE18YIKuJ7L/uztvNyAaj+ZsR1uKayYxlpgMalUJDHW1u3gX2MPELm > > zpDWVj7mR0iZ78AJlSG0J7+ughBMq5jarlzdCYTHmFqe0dszmafDAdxIBKmWw+IW > > /BXIMDTR/CjoPW4D65fewEcqIVrODDft6GNDg7aYa0dF8eiOjQM3wNUVjmgBESBK > > ztcGuFID+bl96+GABuSo9OFS36/dKskhGK125gvpEgU8pWM4+POQDtWlHjFHw5Ml > > 1ZCZHxrQOp/drolh50uMTl6QrZSKt0U3Kikw+zzj5itAEtbhVrnfw7nvJHlhPsy/ > > 7CG2WMv/iwXzif+ogSN6ClkOxSTqHftS2BW9uMP7meLNK0tRiCtTVSXSXIizTR96 > > ZbCb9zbETfHYj2KE3nLeKAeycaN15+8NK1YgVYEh+ZqbsgdFgD6src6X/NP3v3dX > > kzyr3+tqYdDbgibcYyhd > > =5KCr > > -END PGP SIGNATURE- > > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] External Self Help Suggestions.
On 05/13/2015 07:40 PM, William Graboyes wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi List, I am trying to figure out a method of allowing users who do not have shell access to change their own passwords. The GUI that comes with FreeIPA is out of the question due to the untrusted CA (yes I know we are a strange shop, there is nothing I can do about it, and you would want to gouge you eyes out if I told you the full story) becoming a "Bad habit forming" method of changing one's password. I have been looking around for about a week now, and am somewhat lost and perplexed. The old documentation for FreeIPA basically says that it is not a good idea to manipulate the password directly in LDAP (and even then finding what hash is being used has been next to impossible). So the question is this, does anyone know of any tools out there that can happily, or even with some modification, allow me to set up a trusted external ssl site that allows users to change their passwords. There is no external password reset self service in IPA yet. We will be starting to look into this effort during summer. Take a look at the bucket of tickets in the "FreeIPA Community Portal Release" here https://fedorahosted.org/freeipa/report/3. What prevents you from making IPA trusted? You can chain IPA to your CA or use it CA-less with certs from your own CA. Then UI would be an option I assume. Other option is https://code.google.com/p/pwm/ Thanks, Bill -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJVU+DdAAoJEJFMz73A1+zryTIP/1dLBYfMwSNkvICW8PToUkD6 MCQQt+yGblI2gqZiVm2NCHD4Lto4sDUJSdnQF++kcuCTd0u4P5twFR/LejIAa/Jc bKCO7XSmfBEh/+ArVeUBSsoBec2V0h6x3i98mChD55DzuRJj4HiIxGgM1KdeAgaV UdwI9wQEKOUCyHZyDVdEk/g+X1QMnNBPUXhdEiHtAkbqkxSan01iw2k1mGjfIOWU NfOThdj7K9vE18YIKuJ7L/uztvNyAaj+ZsR1uKayYxlpgMalUJDHW1u3gX2MPELm zpDWVj7mR0iZ78AJlSG0J7+ughBMq5jarlzdCYTHmFqe0dszmafDAdxIBKmWw+IW /BXIMDTR/CjoPW4D65fewEcqIVrODDft6GNDg7aYa0dF8eiOjQM3wNUVjmgBESBK ztcGuFID+bl96+GABuSo9OFS36/dKskhGK125gvpEgU8pWM4+POQDtWlHjFHw5Ml 1ZCZHxrQOp/drolh50uMTl6QrZSKt0U3Kikw+zzj5itAEtbhVrnfw7nvJHlhPsy/ 7CG2WMv/iwXzif+ogSN6ClkOxSTqHftS2BW9uMP7meLNK0tRiCtTVSXSXIizTR96 ZbCb9zbETfHYj2KE3nLeKAeycaN15+8NK1YgVYEh+ZqbsgdFgD6src6X/NP3v3dX kzyr3+tqYdDbgibcYyhd =5KCr -END PGP SIGNATURE- -- Thank you, Dmitri Pal Director of Engineering for IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project