On Sun, 2012-05-20 at 02:22 -0700, Gelen James wrote: > The currently assumption is that all IPA users can login into > Unix/Linux machines to change their IPA password, or reset their > expired password. > > > But this is not available all the time, so a more general alternative > -- web UI -- will be more appreciated. The basic requirements are: > > > 1, The web UI accept user's passwords, expired is also accepted.
Hello Gelen, Current Web UI allows only users with valid and non-expired password to log in. There is a ticket logged to improve this: https://fedorahosted.org/freeipa/ticket/2276 With this change in, users with expired passwords will be able to log in and change the expired password right after successful authentication. This feature is planned to be released as a part of FreeIPA 3.0. > > 2, the authentication is based on IPA Kerberos. > > > 3, authenticated regular IPA user can only reset his/her password > only. > > > 4, (bonus) authenticated admin users can alter other users' password > as well. All these features are already available in current upstream version of FreeIPA. For 4), this can be done also by non-admin user that has an appropriate privilege granted. Martin _______________________________________________ Freeipa-devel mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-devel