The currently assumption is that all IPA users can login into Unix/Linux
machines to change their IPA password, or reset their expired password.
But this is not available all the time, so a more general alternative -- web
UI -- will be more appreciated. The basic requirements are:
1, The web UI accept user's passwords, expired is also accepted.
2, the authentication is based on IPA Kerberos.
3, authenticated regular IPA user can only reset his/her password only.
4, (bonus) authenticated admin users can alter other users' password as well.
Freeipa-devel mailing list