On 2/13/24 18:54, Christian Heimes via FreeIPA-users wrote:
On 13/02/2024 18.03, Ronald Wimmer via FreeIPA-users wrote:
On 13.02.24 17:47, Rob Crittenden wrote:
I don't think it's possible to speculate without knowing your process.
This requires the cleartext password so assuming you create the staged user then immediately active them, that would be the time to do the bind. Otherwise you have to store cleartext passwords and that is a recipe for disaster.
User is created by an external tool. User activation in IPA is done by a script on one of the IPA servers periodically. Sadly, the external tool cannot do an initial LDAP bind in order to create a users's krb LDAP attributes. I am looking for a simple way these properties are created.
Sure I could say a user has to SSH somewhere but why can't that happen if a user tries to login to IPA's WebGUI and the krb properties are missing? Or is there another option for users to accomplish this?
Because the IPA WebUI uses the Kerberos extension S4U2Proxy under the hood. It allows the WebUI to talk to the LDAP server on behalf of the user. This feature require a proper Kerberos credentials. See https://www.freeipa.org/page/V4/Service_Constraint_Delegation
I already mentioned the recommended option to archive this a while ago. You may have missed the piece of information in this very long thread. IPA servers have a special /ipa/migration route (e.g. https://ipa.demo1.freeipa.org/ipa/migration/) for password migration. Under the hood the endpoint just does an LDAP bind with username and password. You can ask your users to either log into a machine with ssh or go to the migration page.
Did something change on the IPA side? We are using RedHat IDM 4.12.2 and these steps magically seem not to be required anymore. Kerberos attributes are created immediately upon user creation.