freeipa-password-reset Using service instead of user

Using service instead of user

Open gerardedo opened this issue 5 years ago • 4 comments

Currently it's using an ipa user to reset password, instead of an ipa service.

Mar 27 '19 21:03 gerardedo

Consider:

ipa role-add "Self Password Reset"; ipa role-add-privilege "Self Password Reset" --privileges="Modify Users and Reset passwords"; ipa role-add-privilege "Self Password Reset" --privileges="Password Policy Readers"; ipa service-add 'ldap-passwd-reset/domain.tld'; ipa role-add-member 'Self Password Reset' --services='ldap-passwd-reset/domain.tld';

Or create a permission for Type User with krbprincipalkey, userpassword and krbpasswordexpiration, and assign it to the role

ipa-getkeytab -p 'ldap-passwd-reset/domain.told' -s domain.told -k /opt/IPAPasswordReset/ldap-passwd-reset.keytab; kinit -t /opt/IPAPasswordReset/ldap-passwd-reset.keytab -k ldap-passwd-reset/domain.told; klist; ldapwhoami -Y GSSAPI;

Then use in as follows in settings.py:

LDAP_USER = "ldap-passwd-reset/domain.tld KEYTAB_PATH = "/opt/IPAPasswordReset/ldap-passwd-reset.keytab"

Mar 27 '19 21:03 gerardedo

Thank you for feedback. What is profit of using service instead of user?

Mar 28 '19 07:03 larrabee

Hi,

Well, it's conceptual, from my point of view a user type account is for real users, and services accounts are for machines and services. In this case, "ldap-passwd-reset" is a service.

Anyway, thanks for your nice work!

Mar 28 '19 08:03 gerardedo

what about password policies ? will it be followed if we have it as a services, BTW it isn't happening while it is normal user so .. u know

Feb 11 '20 16:02 fsadoon

freeipa-password-reset freeipa-password-reset copied to clipboard

Using service instead of user

freeipa-password-reset
freeipa-password-reset copied to clipboard