On Sun, 2012-05-20 at 02:22 -0700, Gelen James wrote:
> The currently assumption is that all IPA users can login into
> Unix/Linux machines to change their IPA password, or reset their
> expired password.
> But this is not available all the time, so a more general alternative
> -- web UI -- will be more appreciated. The basic requirements are:
> 1, The web UI accept user's passwords, expired is also accepted.
Current Web UI allows only users with valid and non-expired password to
log in. There is a ticket logged to improve this:
With this change in, users with expired passwords will be able to log in
and change the expired password right after successful authentication.
This feature is planned to be released as a part of FreeIPA 3.0.
> 2, the authentication is based on IPA Kerberos.
> 3, authenticated regular IPA user can only reset his/her password
> 4, (bonus) authenticated admin users can alter other users' password
> as well.
All these features are already available in current upstream version of
FreeIPA. For 4), this can be done also by non-admin user that has an
appropriate privilege granted.
Freeipa-devel mailing list