[Freeipa-users] Re: Create IPA user via LDAP

Mon, 25 Nov 2024 00:54:16 -0800 

On 13.02.24 18:54, Christian Heimes via FreeIPA-users wrote:

On 13/02/2024 18.03, Ronald Wimmer via FreeIPA-users wrote:

On 13.02.24 17:47, Rob Crittenden wrote:


I don't think it's possible to speculate without knowing your process.

This requires the cleartext password so assuming you create the staged
user then immediately active them, that would be the time to do the
bind. Otherwise you have to store cleartext passwords and that is a
recipe for disaster.



User is created by an external tool. User activation in IPA is done by 
a script on one of the IPA servers periodically. Sadly, the external 
tool cannot do an initial LDAP bind in order to create a users's krb 
LDAP attributes. I am looking for a simple way these properties are 
created.



Sure I could say a user has to SSH somewhere but why can't that happen 
if a user tries to login to IPA's WebGUI and the krb properties are 
missing? Or is there another option for users to accomplish this?



Because the IPA WebUI uses the Kerberos extension S4U2Proxy under the 
hood. It allows the WebUI to talk to the LDAP server on behalf of the 
user. This feature require a proper Kerberos credentials. See 
https://www.freeipa.org/page/V4/Service_Constraint_Delegation



I already mentioned the recommended option to archive this a while ago. 
You may have missed the piece of information in this very long thread. 
IPA servers have a special /ipa/migration route (e.g. 
https://ipa.demo1.freeipa.org/ipa/migration/) for password migration. 
Under the hood the endpoint just does an LDAP bind with username and 
password. You can ask your users to either log into a machine with ssh 
or go to the migration page.




You wrote "under the hood it just does an LDAP bind". We let the 
external IAM system do an LDAP bind whenever a user's password changes. 
So we do not need to force users to establish an SSH connection or call 
the /ipa/migration route manually.



Is it ok from your point of view to do it like that or do you see any 
culprits?


Cheers,
Ronald
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue





























					Reply via email to