Re: Fwd: I'm about to start coding a plugin for Heimdal Kerberos V and have a question

[Rich Megginson <rmeggins@xxxxxxxxxx>]

On 02/26/2014 11:01 PM, Paul Robert Marino wrote:
> sorry for the delayed response I'm on vacation so I haven't been
> checking my email regularly.
>
> On Thu, Feb 20, 2014 at 5:15 PM, Rich Megginson <rmeggins@xxxxxxxxxx> wrote:
> > On 02/20/2014 03:11 PM, Paul Robert Marino wrote:
> > > I tried asking this on the developer list and didn't get an answer
> >
> > There is no good answer, which is probably why no one replied . . .
> >
> >
> > > so
> > > im trying the user list now
> > >
> > > So here is my goal I am about to write a plugin for Heimdal KDC's to
> > > update matching password fields in LDAP servers.
> > > In the case of 389 server it will also allow 389 server to manage
> > > password quality checks.
> > >
> > > Ive been looking over the 389 servers docs and there is something I'm
> > > unclear about.
> > > How do I pass the password to 389 server to trigger the quality check
> > > and update?
> >
> > There isn't a SLAPI way to do that.  FreeIPA did something similar with
> > their samba/kerberos password plugin, and they copy/pasted liberally from
> > the core 389 server code.
> It doesn't need to be via SLAPI in fact for compatibility reasons its
> actually better if its not via SLAPI but instead a direct LDAP query.
> If it is as you say than I dont see how a user updating their pasword
> from a client node can ever be forced to use the password quality
> check which seam to make it somewhat useless. Instead I would have
> expected the check to be executed by a post modify trigger on the
> password field or some other intermediate field.

Ok.  I see.  You are wanting to do this in conjunction with the regular 
LDAP password processing.  Then I think it should work.

You will probably want to do this as a BEPOSTTXN plugin, so that your 
changes occur inside the same transaction as the regular password changes.

> > > Is it simply just a bind as an administrator then update the users
> > > password field with clear text password and let 389 server check and
> > > hash it from there, or is there more to it like a C API call?
> > >
> > > If any one can point me to the appropriate doc or even better section
> > > of the appropriate doc that would be very helpful.
> > > If any one just happens to knows the answer I would appreciate that too.
> > >
> > > Note: The resulting plugin will be posted on Github with a GPL license
> > > when I'm done.
> > >
> > > Thank You
> > > --
> > > 389 users mailing list
> > > 389-users@xxxxxxxxxxxxxxxxxxxxxxx
> > > https://admin.fedoraproject.org/mailman/listinfo/389-users
> >
> > --
> > 389 users mailing list
> > 389-users@xxxxxxxxxxxxxxxxxxxxxxx
> > https://admin.fedoraproject.org/mailman/listinfo/389-users
> --
> 389 users mailing list
> 389-users@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/389-users

--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users