larrabee / freeipa-password-reset Goto Github PK

i am trying to debug some remote connectivity that i believe is breaking because the tool is trying to connect to 127.0.0.1:8000 , is it possible to change this config?

hi again, the ldap-passwd-reset.keytab isn't renewing the tickets manually,

i believe some cron job is calling it to renew tickets but i can not find that job shall i create something like :

* */2 * * * /usr/bin/kinit [email protected] -k -t /opt/data/IPAPasswordReset/ldap-passwd-reset.keytab
?

Hello,

Please let me know how we can install your password reset app in a standalone server?

Kind regards,

How can I have it running in port 8000 but showing the background images properly? If I run it on same port and URL as Freeipa it seems ok, but when I try to access it using port 8000 ( http://ipa-server:8000/reset) it doesn't show it properly. See screenshot in attach

We are currently using your freeipa-password-reset app for our FreeIPA LDAP password reset and we are testing different medium in providing OTP. In email it is already working.

However, we've enabled the Signal OTP but it was returning this message 'FileNotFoundError' object has no attribute 'message'

We've already populated the telephone number attribute in FreeIPA.

Please help. Thanks.

Regards,

Environment;
OS: RHEL 7.6
Kernel: 3.10.0-957.21.3.el7.x86_64
IPA Version: VERSION: 4.6.4, API_VERSION: 2.230

Problem:
Can I know why we have these strict requirements on the Python modules:

appdirs==1.4.3
boto3==1.4.4
botocore==1.5.71
decorator==4.0.11
django==1.11.22
dnspython==1.15.0
docutils==0.13.1
enum34==1.1.6
futures==3.1.1
httplib2==0.10.3
idna==2.5
ipaddress==1.0.18
jmespath==0.9.3
netaddr==0.7.19
netifaces==0.10.6
packaging==16.8
pyasn1==0.2.3
pyasn1-modules==0.0.8
pycparser==2.17
pyparsing==2.2.0
python-dateutil==2.6.0
pytz==2017.2
redis==2.10.5
rsa==3.4.2
s3transfer==0.1.10
six==1.10.0
uritemplate==3.0.0
Jinja2==2.10.1

These modules brake the IPA functionality:

# ipactl status

Traceback (most recent call last):
File "/sbin/ipactl", line 29, in
from ipaserver.install import service, installutils
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 34, in
from ipalib.install import certstore, sysrestore
File "/usr/lib/python2.7/site-packages/ipalib/init.py", line 919, in
from ipalib import plugable
File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 42, in
from ipalib.config import Env
File "/usr/lib/python2.7/site-packages/ipalib/config.py", line 43, in
from ipaplatform.tasks import tasks
File "/usr/lib/python2.7/site-packages/ipaplatform/tasks.py", line 10, in
ipaplatform._importhook.fixup_module('ipaplatform.tasks')
File "/usr/lib/python2.7/site-packages/ipaplatform/_importhook.py", line 135, in load_module
platform_mod = importlib.import_module(alias)
File "/usr/lib64/python2.7/importlib/init.py", line 37, in import_module
import(name)
File "/usr/lib/python2.7/site-packages/ipaplatform/rhel/tasks.py", line 26, in
from ipaplatform.redhat.tasks import RedHatTaskNamespace
File "/usr/lib/python2.7/site-packages/ipaplatform/redhat/tasks.py", line 56, in
""")
File "/usr/lib64/python2.7/site-packages/cffi/api.py", line 105, in cdef
self._cdef(csource, override=override, packed=packed)
File "/usr/lib64/python2.7/site-packages/cffi/api.py", line 119, in _cdef
self._parser.parse(csource, override=override, **options)
File "/usr/lib64/python2.7/site-packages/cffi/cparser.py", line 299, in parse
self._internal_parse(csource)
File "/usr/lib64/python2.7/site-packages/cffi/cparser.py", line 304, in _internal_parse
ast, macros, csource = self._parse(csource)
File "/usr/lib64/python2.7/site-packages/cffi/cparser.py", line 260, in _parse
ast = _get_parser().parse(csource)
File "/usr/lib64/python2.7/site-packages/cffi/cparser.py", line 40, in _get_parser
_parser_cache = pycparser.CParser()
File "/usr/lib/python2.7/site-packages/pycparser/c_parser.py", line 116, in init
outputdir=taboutputdir)
File "/usr/lib/python2.7/site-packages/pycparser/ply/yacc.py", line 3256, in yacc
signature = pinfo.signature()
File "/usr/lib/python2.7/site-packages/pycparser/ply/yacc.py", line 2961, in signature
digest = base64.b16encode(sig.digest())
UnboundLocalError: local variable 'sig' referenced before assignment

Has this been tested on these version at all or at least on CentOS 7.6?
Or does anyone else encoutered this issue?

Hello,

Could you please let me know what is the "SECRET_KEY = "Your CSRF protection key. It must be long random string"" and how we can find it?

Kind regards,

I was able to get this installed and mostly working. I had to upgrade pip. Something you might want to put in the documentation.

However when I go to test this, I get an error about kerberos ticket not being able to be accessed.

If I check the /var/log/messages I see this:
Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.

Getting the below error message on reset page:

Cannot update your password. Insufficient access: Insufficient 'write' privilege to the 'userPassword' attribute of entry ''.

Adding user to "ldap-passwd-reset" to the "admins" FreeIPA group helps to solve the issue, but I don't want to leave it permanently over there.

CentOS Linux release 7.9.2009 (Core)

$ ipa --version
VERSION: 4.6.8, API_VERSION: 2.237

The latest version of the freeipa-password-reset as of Jan 4th, 2021

Hi

I've followed the exact same guidelines as to enable the reset page however, i am getting an error on every attempt for all users as shown below.

Is there a way i can resolve this?

Hi, I designed a logo for your project. If you like it, you can use it. I will send you files. free for your project.

Best Regard.

When i reset my password by email.
The system display
Cannot update your password. Insufficient access: Insufficient 'write' privilege to the 'userPassword' attribute of entry

Hi, firstly i would like to say thank you so much for this self-service password reset portal! It worked like a charm and simple to understand!

However i noticed that the self-service password reset does not come with account unlock, which causes confusion towards end user who did password reset but were not able to access to servers due to account being locked ( Multiple attempt to login prior to account reset ). By any chance we will be looking at this feature near future?

I'm not sure whether this is the right place to post, but do delete this thread if i'm wrong.

Thanks for the password reset application.
It really looks cool.
But, I am not able to reset the password.
The message I see it "Phone number in wrong format" when I click on reset.
Phone Number I am using +918447740700

Hi

I'm still getting error:
Cannot update your password. 'krbloginfailedcount'

Password was changed, but there is some problem with krbloginfailedcount attribute check/update.

Problem seems to be in these lines in pwdmanager.py:

            if int(user['result']['krbloginfailedcount'][0]) > 0:
                api.Command.user_mod(uid=unicode(uid), setattr=unicode("krbloginfailedcount=0"))

Fresh installation of FreeIPA 4.6.5 on latest Centos7 7.7.1908 with default settings
Tested on multiple instances.

I have tried to add attribute "krbloginfailedcount" to "System: Change User password" permission (not default) but without effect.
Next finding is, that if the user never had failed login, this attribute doesn't exists in user record.

Regards

Hi,
Finally I can run service. Bu twhen I select provider as email, ?
Cannot send Email, error: SMTP AUTH extension not supported by server.
here is my e-mail provides settings:
"email-1": {
"class": app.providers.Email,
"enabled": True,
"display_name": "Email",
"options": {
# In template {0} will replaced with token
"msg_template": "Your reset password token: {0} \nDo not tell anyone this code.",
"msg_subject": "Your LDAP password reset code",
"smtp_from": None, #With None its copy value from smtp_user
"smtp_user": "",
"smtp_pass": "",
"smtp_server_addr": "smtp.yasar.com.tr",
"smtp_server_port": 25,
"smtp_server_tls": False,

I am using opensmtpd as an SMTP server and I am not using authentication in the configuration. It is sufficient for the IP to be in the IP list and the IP server is already in this list.
How can I overcome this issue?

Hello!
How to use mobile attribute instead of telephoneNumber?
I tried replacing providers.py in the file, but it does not work.

The requirements.txt file lists "django==1.11.19" as a dependency, but that version is not available.

Editing the requirements.txt file and increasing the version of django to 1.11.20 allows "pip install -r requirements.txt" to succeed.

Hi
Trying to use email for password reset. Seemed to have installed fine as per the instructions but when I try to do a reset .. it says cannot send email. using the email provider to password reset

httpd error_log:
[Sat May 18 22:11:16.349822 2019] [:warn] [pid 9909] [client 10.1.1.88:60980] failed to set perms (3140) on file (/var/run/ipa/ccaches/[email protected])!, referer: https://master6dev.domain.com/ipa/xml
[Sat May 18 22:11:16.373918 2019] [:error] [pid 9620] ipa: INFO: [jsonserver_session] [email protected]: user_show/1(u'user5', version=u'2.230'): SUCCESS

mailllog:

master6dev postfix/smtpd[13518]: lost connection after EHLO from hostname.fqdn

Hey there, I'm having troubles with the kerberos ticket portion of the setup. When clicking on "Reset Password" I get "Cannot retrieve kerberos ticket". I'm able to grab a keytab and store it in /opt/data/IPAPasswordReset/passwordreset.keytab and I'm pointing to that in the settings.py ../passwordreset.keytab
I'm also able to run the command kinit -kt /opt/data/IPAPasswordReset/passwordreset.keytab passwordreset without any issues. Running klist -A I get the following:
Ticket cache: KCM:0:4774
Default principal: passwordreset@DOMAIN

Valid starting Expires Service principal
09/14/2020 09:53:36 09/15/2020 09:53:36 krbtgt/DOMAIN@DOMAIN
09/14/2020 10:02:55 09/15/2020 09:53:36 HTTP/server@DOMAIN

Ticket cache: KCM:0
Default principal: admin@DOMAIN

Valid starting Expires Service principal
09/10/2020 12:05:50 09/11/2020 12:05:47 krbtgt/DOMAIN@DOMAIN
09/10/2020 12:05:55 09/11/2020 12:05:47 cifs/SERVER@DOMAIN

Ticket cache: KCM:0:72320
Default principal: cifs/server@DOMAIN

Valid starting Expires Service principal
09/10/2020 12:07:04 09/11/2020 12:07:04 krbtgt/DOMAIN@DOMAIN

Do you know what's going on?
Thanks in advance for the help!

Dear,

When I try to use Email provider, and I'm sure of my smtp relay configuration, I got :

X.X.X.X - - [26/May/2020:12:22:12 +0200] "POST /reset/gettoken/ HTTP/1.1" 500 6464
That result in Cannot send Email on the UI.

Thank you for your help.

I have followed the all steps after installing of IPAServer not able to create home directory for user, can any one help me on this.

sudo mkdir $(ipa -n user-show "ipa-test-user" --raw |grep 'homedirectory' |awk -F':' '{print $2}')
mkdir: cannot create directory ‘/home/ipa-test-user’: Permission denied

Thanks In Advance.

Regards,
Gopi V

Hi,

Every second time we call /setpassword, an error is shown: "rpcclient is already connected".

Manually resending the request succeeds.

If not catched, the exeption trace is the following:

Traceback (most recent call last):
  File "/opt/data/IPAPasswordReset/PasswordReset/app/views.py", line 49, in post
    PasswdManager().second_phase(request.POST['uid'], request.POST['token'], request.POST['password1'])
  File "/opt/data/IPAPasswordReset/PasswordReset/app/pwdmanager.py", line 43, in __init__
    api.Backend.rpcclient.connect()
  File "/usr/lib/python3.9/site-packages/ipalib/backend.py", line 62, in connect
    raise Exception(
Exception: rpcclient is already connected (rpcclient_139845700820416 in Thread-2)

Awesome work and really nice options available through the provider list. Everything works with no problems at all.

One comment, which i see making huge difference, security wise.

The SLACK Webhook provider requires the existence of a slack channel.
As you can understand posting a token for a user reset to a channel is like asking for someone to test which user was it through simple brute force.

A better approach would be through the use of Slack's conversation API (https://api.slack.com/methods/conversations.open) which offers the capability to direct message the password request token to the user.

This probably just boils down to needing to add further documentation to account for minimal installs, and clarifying some things.

Starting from a minimal Fedora 29 install which then had FreeIPA installed (with all the stuff it needs), I ran into some issues.

1. I needed to install multiple packages that weren't already installed, which can be solved with:
   dnf install gcc git python-ipaclient python-ipalib python-devel python-pip redhat-rpm-config - this solves multiple issues (lack of pip, failure to build during pip install -r requirements.txt, not having git installed by default, not having python ipaclient or ipalib...)

2. I needed to install pip install virtualenv once I had pip installed

3. There is no virtualenv2 ? Using virtualenv seemed to work as expected (modifying the relevant step in the README to virtualenv --system-site-packages ./virtualenv)

4. It appears I had to login to FreeIPA as ldap-passwd-reset and change the password (since it was automatically expired) and re-create the keytab before kinit would work from the keytab. I'm not sure if this is normal, or varies by install, or whatever, but at least a mention of it would be useful since I was just getting vague errors on the frontend about "Cannot retrieve kerberos tiket". I only figured it out after looking at what the code was doing to hit that error and then step by step walking through it manually.

5. I got some further errors due to lack of /home/ldap-passwd-reset which makes sense as while we added the user from the command line with ipa we never created a home directory and it appears the code tries to create some files there. Creating the directory and changed ownership accordingly solved that.

6. I found that while you can set SMTP user/pass to None (vs "", which would fail due to using empty username/password attempt) to disable attempting user/pass for SMTP auth, this means the From address is invalid and sane SMTP server recipients such as gmail will bounce the message. So probably there should either be a separate way to set the From address that can be set in the provider settings if operating without user/pass is intended to be supported, or just make a note that SMTP user/pass are required if using SMTP provider, and instead throw an appropriate exception in the code if they're not set versus attempting to continue without them.

TypeError at /reset/
render() takes exactly 2 arguments (3 given)
Request Method: GET
Request URL: http://myhost.mydomain:7877/reset/
Django Version: 1.6.11.7
Exception Type: TypeError
Exception Value:
render() takes exactly 2 arguments (3 given)
Exception Location: /home/dev/change-ipa-pass/freeipa-password-reset/PasswordReset/app/views.py in index, line 15
Python Executable: /usr/bin/python
Python Version: 2.7.5

Fresh install looks like this:

Console displays these errors:

Currently there is no way to specify "Mail From" using settings.

Hi

Looks like the code not counting with "krbmaxpwdlife=0" (never expire) and then setting "krbPasswordExpiration" to curent date (now+0) which makes password expired.

Please see FreeIPA source code:
https://github.com/freeipa/freeipa/blob/master/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
row 625:

  if (data->expireTime == 0) {
    if (pol.max_pwd_life > 0) {
      /* max_pwd_life = 0 => never expire
      * set expire time only when max_pwd_life > 0 */
      data->expireTime = data->timeNow + pol.max_pwd_life;
    }
  }

Regards

Is it possible to block the password reset for the admin user?

Chris.

First, thanks for your magnificent work !!
one small thing while testing, users are setting there passwords without following password policy i know this is something related to ldap-passwd-reset user account, any idea how to fix this ?

Regards

I followed the installation instructions exactly, but when I start the ldap-passwd-reset service, I get the following in /var/log/messages:

Sep 30 13:19:10 auth1 systemd: Stopping FreeIPA Password Reset Service...
Sep 30 13:19:10 auth1 systemd: Stopped FreeIPA Password Reset Service.
Sep 30 13:19:10 auth1 systemd: Started FreeIPA Password Reset Service.
Sep 30 13:19:13 auth1 python: Unhandled exception in thread started by <function wrapper at 0x7f199a52d938>
Sep 30 13:19:13 auth1 python: detected unhandled Python exception in '/opt/data/IPAPasswordReset/PasswordReset/manage.py'
Sep 30 13:19:14 auth1 abrt-server: Executable '/opt/data/IPAPasswordReset/PasswordReset/manage.py' doesn't belong to any package and ProcessUnpackaged is set to 'no'
Sep 30 13:19:14 auth1 abrt-server: 'post-create' on '/var/spool/abrt/Python-2019-09-30-13:19:14-1735' exited with 1
Sep 30 13:19:14 auth1 abrt-server: Deleting problem directory '/var/spool/abrt/Python-2019-09-30-13:19:14-1735'
Sep 30 13:19:14 auth1 python: Performing system checks...
Sep 30 13:19:14 auth1 python: Traceback (most recent call last):
Sep 30 13:19:14 auth1 python: File "/opt/data/IPAPasswordReset/virtualenv/lib/python2.7/site-packages/django/utils/autoreload.py", line 228, in wrapper
Sep 30 13:19:14 auth1 python: fn(*args, **kwargs)
Sep 30 13:19:14 auth1 python: File "/opt/data/IPAPasswordReset/virtualenv/lib/python2.7/site-packages/django/core/management/commands/runserver.py", line 124, in inner_run
Sep 30 13:19:14 auth1 python: self.check(display_num_errors=True)
Sep 30 13:19:14 auth1 python: File "/opt/data/IPAPasswordReset/virtualenv/lib/python2.7/site-packages/django/core/management/base.py", line 359, in check
Sep 30 13:19:14 auth1 python: include_deployment_checks=include_deployment_checks,
Sep 30 13:19:14 auth1 python: File "/opt/data/IPAPasswordReset/virtualenv/lib/python2.7/site-packages/django/core/management/base.py", line 346, in _run_checks
Sep 30 13:19:14 auth1 python: return checks.run_checks(**kwargs)
Sep 30 13:19:14 auth1 python: File "/opt/data/IPAPasswordReset/virtualenv/lib/python2.7/site-packages/django/core/checks/registry.py", line 81, in run_checks
Sep 30 13:19:14 auth1 python: new_errors = check(app_configs=app_configs)
Sep 30 13:19:14 auth1 python: File "/opt/data/IPAPasswordReset/virtualenv/lib/python2.7/site-packages/django/core/checks/urls.py", line 16, in check_url_config
Sep 30 13:19:14 auth1 python: return check_resolver(resolver)
Sep 30 13:19:14 auth1 python: File "/opt/data/IPAPasswordReset/virtualenv/lib/python2.7/site-packages/django/core/checks/urls.py", line 26, in check_resolver
Sep 30 13:19:14 auth1 python: return check_method()
Sep 30 13:19:14 auth1 python: File "/opt/data/IPAPasswordReset/virtualenv/lib/python2.7/site-packages/django/urls/resolvers.py", line 256, in check
Sep 30 13:19:14 auth1 python: for pattern in self.url_patterns:
Sep 30 13:19:14 auth1 python: File "/opt/data/IPAPasswordReset/virtualenv/lib/python2.7/site-packages/django/utils/functional.py", line 35, in get
Sep 30 13:19:14 auth1 python: res = instance.dict[self.name] = self.func(instance)
Sep 30 13:19:14 auth1 python: File "/opt/data/IPAPasswordReset/virtualenv/lib/python2.7/site-packages/django/urls/resolvers.py", line 407, in url_patterns
Sep 30 13:19:14 auth1 python: patterns = getattr(self.urlconf_module, "urlpatterns", self.urlconf_module)
Sep 30 13:19:14 auth1 python: File "/opt/data/IPAPasswordReset/virtualenv/lib/python2.7/site-packages/django/utils/functional.py", line 35, in get
Sep 30 13:19:14 auth1 python: res = instance.dict[self.name] = self.func(instance)
Sep 30 13:19:14 auth1 python: File "/opt/data/IPAPasswordReset/virtualenv/lib/python2.7/site-packages/django/urls/resolvers.py", line 400, in urlconf_module
Sep 30 13:19:14 auth1 python: return import_module(self.urlconf_name)
Sep 30 13:19:14 auth1 python: File "/usr/lib64/python2.7/importlib/init.py", line 37, in import_module
Sep 30 13:19:14 auth1 python: import(name)
Sep 30 13:19:14 auth1 python: File "/opt/data/IPAPasswordReset/PasswordReset/PasswordReset/urls.py", line 20, in
Sep 30 13:19:14 auth1 python: url(r'reset/', include('app.urls')),
Sep 30 13:19:14 auth1 python: File "/opt/data/IPAPasswordReset/virtualenv/lib/python2.7/site-packages/django/conf/urls/init.py", line 50, in include
Sep 30 13:19:14 auth1 python: urlconf_module = import_module(urlconf_module)
Sep 30 13:19:14 auth1 python: File "/usr/lib64/python2.7/importlib/init.py", line 37, in import_module
Sep 30 13:19:14 auth1 python: import(name)
Sep 30 13:19:14 auth1 python: File "/opt/data/IPAPasswordReset/PasswordReset/app/urls.py", line 2, in
Sep 30 13:19:14 auth1 python: from . import views
Sep 30 13:19:14 auth1 python: File "/opt/data/IPAPasswordReset/PasswordReset/app/views.py", line 10, in
Sep 30 13:19:14 auth1 python: from pwdmanager import *
Sep 30 13:19:14 auth1 python: File "/opt/data/IPAPasswordReset/PasswordReset/app/pwdmanager.py", line 4, in
Sep 30 13:19:14 auth1 python: from ipalib import api, errors as ipaerrors
Sep 30 13:19:14 auth1 python: File "/usr/lib/python2.7/site-packages/ipalib/init.py", line 919, in
Sep 30 13:19:14 auth1 python: from ipalib import plugable
Sep 30 13:19:14 auth1 python: File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 42, in
Sep 30 13:19:14 auth1 python: from ipalib.config import Env
Sep 30 13:19:14 auth1 python: File "/usr/lib/python2.7/site-packages/ipalib/config.py", line 43, in
Sep 30 13:19:14 auth1 python: from ipaplatform.tasks import tasks
Sep 30 13:19:14 auth1 python: File "/usr/lib/python2.7/site-packages/ipaplatform/tasks.py", line 10, in
Sep 30 13:19:14 auth1 python: ipaplatform._importhook.fixup_module('ipaplatform.tasks')
Sep 30 13:19:14 auth1 python: File "/usr/lib/python2.7/site-packages/ipaplatform/_importhook.py", line 135, in load_module
Sep 30 13:19:14 auth1 python: platform_mod = importlib.import_module(alias)
Sep 30 13:19:14 auth1 python: File "/usr/lib64/python2.7/importlib/init.py", line 37, in import_module
Sep 30 13:19:14 auth1 python: import(name)
Sep 30 13:19:14 auth1 python: File "/usr/lib/python2.7/site-packages/ipaplatform/rhel/tasks.py", line 26, in
Sep 30 13:19:14 auth1 python: from ipaplatform.redhat.tasks import RedHatTaskNamespace
Sep 30 13:19:14 auth1 python: File "/usr/lib/python2.7/site-packages/ipaplatform/redhat/tasks.py", line 56, in
Sep 30 13:19:14 auth1 python: """)
Sep 30 13:19:14 auth1 python: File "/usr/lib64/python2.7/site-packages/cffi/api.py", line 105, in cdef
Sep 30 13:19:14 auth1 python: self._cdef(csource, override=override, packed=packed)
Sep 30 13:19:14 auth1 python: File "/usr/lib64/python2.7/site-packages/cffi/api.py", line 119, in _cdef
Sep 30 13:19:14 auth1 python: self._parser.parse(csource, override=override, **options)
Sep 30 13:19:14 auth1 python: File "/usr/lib64/python2.7/site-packages/cffi/cparser.py", line 299, in parse
Sep 30 13:19:14 auth1 python: self._internal_parse(csource)
Sep 30 13:19:14 auth1 python: File "/usr/lib64/python2.7/site-packages/cffi/cparser.py", line 304, in _internal_parse
Sep 30 13:19:14 auth1 python: ast, macros, csource = self._parse(csource)
Sep 30 13:19:14 auth1 python: File "/usr/lib64/python2.7/site-packages/cffi/cparser.py", line 260, in _parse
Sep 30 13:19:14 auth1 python: ast = _get_parser().parse(csource)
Sep 30 13:19:14 auth1 python: File "/usr/lib64/python2.7/site-packages/cffi/cparser.py", line 40, in _get_parser
Sep 30 13:19:14 auth1 python: _parser_cache = pycparser.CParser()
Sep 30 13:19:14 auth1 python: File "/opt/data/IPAPasswordReset/virtualenv/lib/python2.7/site-packages/pycparser/c_parser.py", line 116, in init
Sep 30 13:19:14 auth1 python: outputdir=taboutputdir)
Sep 30 13:19:14 auth1 python: File "/opt/data/IPAPasswordReset/virtualenv/lib/python2.7/site-packages/pycparser/ply/yacc.py", line 3256, in yacc
Sep 30 13:19:14 auth1 python: signature = pinfo.signature()
Sep 30 13:19:14 auth1 python: File "/opt/data/IPAPasswordReset/virtualenv/lib/python2.7/site-packages/pycparser/ply/yacc.py", line 2961, in signature
Sep 30 13:19:14 auth1 python: digest = base64.b16encode(sig.digest())
Sep 30 13:19:14 auth1 python: UnboundLocalError: local variable 'sig' referenced before assignment

This is a RHEL 7.7 with IDM 4.6.5 and FIPS enabled.

Can it work without this feature? Or is it a way to replace it with an email instead of SMS?
Thanks.

Hi, and help will be appreciated.

I am attempting to install freeipa-password-reset on a password self service CentOS 7 rather then my freeipa domain server, I was able to follow all the steps provided on the instruction with some add it steps like Join the self service server to the domain. I done all steps on this server with the exemption the "Configure FreeIPA" I did this part on the Domain server.

everything wend well no errors but when I try to load the reset page at my domain https://192.168.2.71/reset

I get a: Service Unavailable

The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later.

is this error because I running it on separate server?

Please add information about copyrights/license to use.

Hi

I hope that you can help me.

I am using Centos 8, I got no errors during the installation I would like to use email to send out the token to the users but it's failing with error "Cannot send Email" after typing in a username and pressing "Reset Password".

I have checked the logs but it's not adding anything to the logs, do you have any suggestions to where i can start looking, the email configuration is below.

Regards
Per

"email-1": {
    "class": app.providers.Email,
    "enabled": True,
    "display_name": "Email",
    "options": {
        # In template {0} will replaced with token
        "msg_template": "Your reset password token: {0} \nDo not tell anyone this code.",
        "msg_subject": "Your LDAP password reset code",
        "smtp_from": None, #With None its copy value from smtp_user
        "smtp_user": "",
        "smtp_pass": "",
        "smtp_server_addr": "mail-server-ip",
        "smtp_server_port": 25,
        "smtp_server_tls": False,

Hi after resolving the kerberos ticket access writes the reset page ends with a Proxy Error just like shown below:

In addition we see a lot of errors due to IPv6 connectivity attempts

Nov 14 15:00:07 secauth02 python: ipa: INFO: [try 1]: Forwarding 'user_show/1' to json server 'https://secauth02.security.pccwglobal.com/ipa/session/json'
Nov 14 15:00:07 secauth02 named-pkcs11[2233]: network unreachable resolving 'smpt.mailgun.org/A/IN': 2600:9000:5306:4e00::1#53
Nov 14 15:00:07 secauth02 named-pkcs11[2233]: network unreachable resolving 'smpt.mailgun.org/A/IN': 2600:9000:5300:8500::1#53
Nov 14 15:00:07 secauth02 named-pkcs11[2233]: network unreachable resolving 'smpt.mailgun.org/A/IN': 2600:9000:5302:4a00::1#53

When we try this from bash everything works OK.

[root@secauth02 ~]# nslookup

smtp.mailgun.com
Server: X.X.X.X
Address: X.X.X.X#53

Non-authoritative answer:
smtp.mailgun.com canonical name = smtp.mailgun.org.
Name: smtp.mailgun.org
Address: 3.82.80.86
Name: smtp.mailgun.org
Address: 52.45.160.225
Name: smtp.mailgun.org
Address: 35.170.180.73

Any suggestions?

I'm not sure if there's a solution, but if we're using 2FA with FreeIPA (password and Google Authenticator) how do we configure for a password reset? Any ideas?
I think you'd somehow have to drop the requirement for the Google Auth on the reset webpage and accept the second factor you're pushing out.
Any ideas?

What causes it? How can I find out

Currently there is no support for Redis Auth with Password

Using the Email only option to reset password on F34 and freeipa-server-4.9.3-2, I see this message:
'API' object has no attribute 'Backend'

Logs show:

Jun  7 15:47:47 python[53936]: [07/Jun/2021 19:47:47] "POST /reset/gettoken/ HTTP/1.1" 500 6502
Jun  7 15:48:40 python[53936]: [07/Jun/2021 19:48:40] "GET /reset/ HTTP/1.1" 200 5748

I tried to install this on a CentOS 8 and ran into a few minor issues that I was able to work around (namely how virtualenv is created).

Now I am having an issue when launching the service - I have a traceback:

Performing system checks...

Unhandled exception in thread started by <function check_errors.<locals>.wrapper at 0x7fae242d4378>
Traceback (most recent call last):
  File "/opt/apps/freeipa-password-reset/virtualenv/lib64/python3.6/site-packages/django/utils/autoreload.py", line 228, in wrapper
    fn(*args, **kwargs)
  File "/opt/apps/freeipa-password-reset/virtualenv/lib64/python3.6/site-packages/django/core/management/commands/runserver.py", line 124, in inner_run
    self.check(display_num_errors=True)
  File "/opt/apps/freeipa-password-reset/virtualenv/lib64/python3.6/site-packages/django/core/management/base.py", line 359, in check
    include_deployment_checks=include_deployment_checks,
  File "/opt/apps/freeipa-password-reset/virtualenv/lib64/python3.6/site-packages/django/core/management/base.py", line 346, in _run_checks
    return checks.run_checks(**kwargs)
  File "/opt/apps/freeipa-password-reset/virtualenv/lib64/python3.6/site-packages/django/core/checks/registry.py", line 81, in run_checks
    new_errors = check(app_configs=app_configs)
  File "/opt/apps/freeipa-password-reset/virtualenv/lib64/python3.6/site-packages/django/core/checks/urls.py", line 16, in check_url_config
    return check_resolver(resolver)
  File "/opt/apps/freeipa-password-reset/virtualenv/lib64/python3.6/site-packages/django/core/checks/urls.py", line 26, in check_resolver
    return check_method()
  File "/opt/apps/freeipa-password-reset/virtualenv/lib64/python3.6/site-packages/django/urls/resolvers.py", line 256, in check
    for pattern in self.url_patterns:
  File "/opt/apps/freeipa-password-reset/virtualenv/lib64/python3.6/site-packages/django/utils/functional.py", line 35, in __get__
    res = instance.__dict__[self.name] = self.func(instance)
  File "/opt/apps/freeipa-password-reset/virtualenv/lib64/python3.6/site-packages/django/urls/resolvers.py", line 407, in url_patterns
    patterns = getattr(self.urlconf_module, "urlpatterns", self.urlconf_module)
  File "/opt/apps/freeipa-password-reset/virtualenv/lib64/python3.6/site-packages/django/utils/functional.py", line 35, in __get__
    res = instance.__dict__[self.name] = self.func(instance)
  File "/opt/apps/freeipa-password-reset/virtualenv/lib64/python3.6/site-packages/django/urls/resolvers.py", line 400, in urlconf_module
    return import_module(self.urlconf_name)
  File "/usr/lib64/python3.6/importlib/__init__.py", line 126, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
  File "<frozen importlib._bootstrap>", line 994, in _gcd_import
  File "<frozen importlib._bootstrap>", line 971, in _find_and_load
  File "<frozen importlib._bootstrap>", line 955, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 665, in _load_unlocked
  File "<frozen importlib._bootstrap_external>", line 678, in exec_module
  File "<frozen importlib._bootstrap>", line 219, in _call_with_frames_removed
  File "/opt/apps/freeipa-password-reset/PasswordReset/PasswordReset/urls.py", line 20, in <module>
    url(r'reset/', include('app.urls')),
  File "/opt/apps/freeipa-password-reset/virtualenv/lib64/python3.6/site-packages/django/conf/urls/__init__.py", line 50, in include
    urlconf_module = import_module(urlconf_module)
  File "/usr/lib64/python3.6/importlib/__init__.py", line 126, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
  File "<frozen importlib._bootstrap>", line 994, in _gcd_import
  File "<frozen importlib._bootstrap>", line 971, in _find_and_load
  File "<frozen importlib._bootstrap>", line 955, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 665, in _load_unlocked
  File "<frozen importlib._bootstrap_external>", line 678, in exec_module
  File "<frozen importlib._bootstrap>", line 219, in _call_with_frames_removed
  File "/opt/apps/freeipa-password-reset/PasswordReset/app/urls.py", line 2, in <module>
    from . import views
  File "/opt/apps/freeipa-password-reset/PasswordReset/app/views.py", line 10, in <module>
    from pwdmanager import *
ModuleNotFoundError: No module named 'pwdmanager'

Any feedback on this would be great, thank you!

Currently it's using an ipa user to reset password, instead of an ipa service.

I sunk a few hours of troubleshooting before posting but have not been able to resolve.
I'm using freeIPA with Fedora.
Followed the steps and went over multiple times but when going to ipa.domain.com/reset its service unavailable

Logging into freeIPA is no issue and rebooting the server in mid access drops the page so content is trying to load but failing.
Any solutions?

Hello, I had 2 questions and was hoping you could answer them?

1. When the password reset page is submitted, I get a message like this: "Cannot update your password. Insufficient access: Insufficient 'write' privilege to the 'krbPasswordExpiration' attribute of entry 'uid=test,cn=users,cn=accounts,dc=dev,dc=example,dc=net'." On line 62 of pwdmanager.py you are using the api.Command.user_mod to set the password, do we need to also set the krbPasswordExpiration attribute or should the FreeIPA system do that for us? Can I just comment out that line?

2. Despite the message above, the reset process does work and sets the password. When testing the new login on the ipaserver/ipa/ui/ url, I'm told that the password needs to be changed. This is the same behaviour as when an admin resets the user's password. Is that correct?

Thank you very much!

Hi,
I have installed and configured freeipa-password-reset on a RHEL 8 vm and it works great so far. This setup is a standalone vm meaning that it's not installed on a freeipa/idm server but on a vm with only required packages and configuration
One thing is once a user access and change his pasword, the link "You can login here." point to the https:///ipa/ui which is not accessible on a standalone installation.
Is it possible to add a parameter to have a custom url for this link?

Thanks!

Almost 24 hours later it's still giving me this error for one user.
Thanks !