Hello the FreeIPA List,


So as using the FreeIPA API and using LDAP directly to set existing users
passwords (because they don't yet have one) didn't work, we've set up PWM by
mostly following this gist:


This has worked, and users with existing passwords can log in an manage
their passwords. We are not using it to create user accounts. However we
have some users who do not have passwords, so they can't provide a current
password to do a password change.


We have a page on our customer management system that allows users with no
password to enter a password and this is sent to the PWM REST interface to
set the user's password in FreeIPA. The user is not new, they just have no
password set. There's a couple of thousand of them, so we're really keen on
self service.


However when we send a password reset request to the PWM REST with the
setpassword command (using the pwmproxy user credentials) we get the
following response:


{"error":true,"errorCode":5027,"errorMessage":"You do not have permission to
perform the requested action."}


We've tried making the pwmproxy user a admin, and have giving them
permission to change users passwords with the System: Change User password
permission, however this gives the same response. I'd prefer not to give the
pwmproxy account admin, but we need this to work. We've also tried using the
admin account with the same results, we'd prefer to use an API key but have
not yet managed to authenticate with one.


I'm asking here as PWM is recommended by FreeIPA as a suitable 3rd Party
project https://www.freeipa.org/page/Self-Service_Password_Reset


I feel we're one step away from making this work. Is there a specific
permission, aci, or other hoop to jump through to allow PWM to set a user's




Aaron Hicks





FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to