> sorry for the delayed response I'm on vacation so I haven't been
> checking my email regularly.
>
> On Thu, Feb 20, 2014 at 5:15 PM, Rich Megginson <rmeggins@redhat.com> wrote:
>> On 02/20/2014 03:11 PM, Paul Robert Marino wrote:
>>> I tried asking this on the developer list and didn't get an answer
>>
>> There is no good answer, which is probably why no one replied . . .
>>
>>
>>> so
>>> im trying the user list now
>>>
>>> So here is my goal I am about to write a plugin for Heimdal KDC's to
>>> update matching password fields in LDAP servers.
>>> In the case of 389 server it will also allow 389 server to manage
>>> password quality checks.
>>>
>>> Ive been looking over the 389 servers docs and there is something I'm
>>> unclear about.
>>> How do I pass the password to 389 server to trigger the quality check
>>> and update?
>>
>> There isn't a SLAPI way to do that. FreeIPA did something similar with
>> their samba/kerberos password plugin, and they copy/pasted liberally from
>> the core 389 server code.
> It doesn't need to be via SLAPI in fact for compatibility reasons its
> actually better if its not via SLAPI but instead a direct LDAP query.
> If it is as you say than I dont see how a user updating their pasword
> from a client node can ever be forced to use the password quality
> check which seam to make it somewhat useless. Instead I would have
> expected the check to be executed by a post modify trigger on the
> password field or some other intermediate field.
Ok. I see. You are wanting to do this in conjunction with the regular
LDAP password processing. Then I think it should work.
You will probably want to do this as a BEPOSTTXN plugin, so that your
changes occur inside the same transaction as the regular password changes.
>
>>> Is it simply just a bind as an administrator then update the users
>>> password field with clear text password and let 389 server check and
>>> hash it from there, or is there more to it like a C API call?
>>>
>>> If any one can point me to the appropriate doc or even better section
>>> of the appropriate doc that would be very helpful.
>>> If any one just happens to knows the answer I would appreciate that too.
>>>
>>> Note: The resulting plugin will be posted on Github with a GPL license
>>> when I'm done.
>>>
>>> Thank You
>>> --
>>> 389 users mailing list
>>> 389-users@lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>
>> --
>> 389 users mailing list
>> 389-users@lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/389-users
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
No comments:
Post a Comment