summaryrefslogtreecommitdiffstats
path: root/install/conf/ipa.conf
diff options
context:
space:
mode:
authorMartin Kosek <mkosek@redhat.com>2012-06-06 14:38:08 +0200
committerRob Crittenden <rcritten@redhat.com>2012-06-11 23:07:03 -0400
commitd1e695b5d0323167d37eee340718eb5e65138716 (patch)
treeeca31d880051605493df2f6f09cba6730c8f33f0 /install/conf/ipa.conf
parent34a1dee93420805ba48fbe077b4e2a8cea351151 (diff)
downloadfreeipa-d1e695b5d0323167d37eee340718eb5e65138716.tar.gz
freeipa-d1e695b5d0323167d37eee340718eb5e65138716.tar.xz
freeipa-d1e695b5d0323167d37eee340718eb5e65138716.zip
Password change capability for form-based auth
IPA server web form-based authentication allows logins for users which for some reason cannot use Kerberos authentication. However, when a password for such users expires, they are unable change the password via web interface. This patch adds a new WSGI script attached to URL /ipa/session/change_password which can be accessed without authentication and which provides password change capability for web services. The actual password change in the script is processed by LDAP password change command. Password result is passed both in the resulting HTML page, but also in HTTP headers for easier parsing in web services: X-IPA-Pwchange-Result: {ok, invalid-password, policy-error, error} (optional) X-IPA-Pwchange-Policy-Error: $policy_error_text https://fedorahosted.org/freeipa/ticket/2276
Diffstat (limited to 'install/conf/ipa.conf')
-rw-r--r--install/conf/ipa.conf8
1 files changed, 7 insertions, 1 deletions
diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf
index 89c9849ca..b52d9d2ff 100644
--- a/install/conf/ipa.conf
+++ b/install/conf/ipa.conf
@@ -1,5 +1,5 @@
#
-# VERSION 4 - DO NOT REMOVE THIS LINE
+# VERSION 5 - DO NOT REMOVE THIS LINE
#
# LoadModule auth_kerb_module modules/mod_auth_kerb.so
@@ -72,6 +72,12 @@ KrbConstrainedDelegationLock ipa
Allow from all
</Location>
+<Location "/ipa/session/change_password">
+ Satisfy Any
+ Order Deny,Allow
+ Allow from all
+</Location>
+
# This is where we redirect on failed auth
Alias /ipa/errors "/usr/share/ipa/html"