Hi Charles,

 

The pwmproxy account is able to reset other user’s passwords from the command 
line using `ipa passwd username`

 

However, it not getting permission when using the PWM API or when logged in.

 

Regards,

 

Aaron

 

From: Charles Hedrick [mailto:hedr...@rutgers.edu] 
Sent: Friday, 17 November 2017 7:49 AM
To: FreeIPA users list <freeipa-users@lists.fedorahosted.org>
Cc: Aaron Hicks <aaron.hi...@nesi.org.nz>
Subject: Re: [Freeipa-users] PWM and FreeIPA integration

 

I can’t help with PWM, but I can say that I have a self-service web app that 
does “ipa passwd” to change user passwords. It works fine, though the principal 
it uses has to be registered specially if you don’t want the user to be forced 
to change password the first time they login.

 

The following sets things so that when hedrick.admin or 
http/services.cs.rutgers.edu <http://services.cs.rutgers.edu>  change 
passwords, they don’t need to be changed a second time.

 

dn: cn=ipa_pwd_extop,cn=plugins,cn=config

changetype: modify

add:passSyncManagersDNs

passSyncManagersDNs: 
uid=hedrick.admin,cn=users,cn=accounts,dc=cs,dc=rutgers,dc=edu

passsyncmanagersdns: krbprincipalname=http/services.cs.rutgers.edu@CS.RUTGERS 
<mailto:krbprincipalname=http/services.cs.rutgers.edu@CS.RUTGERS> .

 EDU,cn=services,cn=accounts,dc=cs,dc=rutgers,dc=edu

 

To find the dn of the http service principal, do

 

ipa service-show PRINCIPAL —all

 

and look for the DN.

 

Note that a user with password change privs can’t change the password of anyone 
in group admins. That caused some head scratching when I tried to test the 
application on myself.

 

We found one other oddity: if a user has an expiration date for their principal 
(not the password, the principal), and we changed their password, the password 
ended up with an expiration date before the last change date, and is not 
usable. I conjecture that this occurs if the password expiration is set beyond 
the principal expiration, but I haven’t checked enough to verify that. We fixed 
it by removing the principal expiration.

 





On Nov 14, 2017, at 11:09 PM, Aaron Hicks via FreeIPA-users 
<freeipa-users@lists.fedorahosted.org 
<mailto:freeipa-users@lists.fedorahosted.org> > wrote:

 

Hello the FreeIPA List,

 

So as using the FreeIPA API and using LDAP directly to set existing users 
passwords (because they don’t yet have one) didn’t work, we’ve set up PWM by 
mostly following this gist:  
<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgist.github.com%2FPowerWagon%2Fd794a1233d7943f1614d2ae5223e678a&data=02%7C01%7Chedrick%40rutgers.edu%7Cf3c7a06160ce438346f208d52bdeca9a%7Cb92d2b234d35447093ff69aca6632ffe%7C1%7C0%7C636463158249432100&sdata=z5rZtPg%2BPlxdYk59RUEFLq5NJGOEzwLLbatGIzydYAo%3D&reserved=0>
 https://gist.github.com/PowerWagon/d794a1233d7943f1614d2ae5223e678a

 

This has worked, and users with existing passwords can log in an manage their 
passwords. We are not using it to create user accounts. However we have some 
users who do not have passwords, so they can’t provide a current password to do 
a password change.

 

We have a page on our customer management system that allows users with no 
password to enter a password and this is sent to the PWM REST interface to set 
the user’s password in FreeIPA. The user is not new, they just have no password 
set. There’s a couple of thousand of them, so we’re really keen on self service.

 

However when we send a password reset request to the PWM REST with the 
setpassword command (using the pwmproxy user credentials) we get the following 
response:

 

{"error":true,"errorCode":5027,"errorMessage":"You do not have permission to 
perform the requested action."}

 

We’ve tried making the pwmproxy user a admin, and have giving them permission 
to change users passwords with the System: Change User password  permission, 
however this gives the same response. I’d prefer not to give the pwmproxy 
account admin, but we need this to work. We’ve also tried using the admin 
account with the same results, we’d prefer to use an API key but have not yet 
managed to authenticate with one.

 

I’m asking here as PWM is recommended by FreeIPA as a suitable 3rd Party 
project  <https://www.freeipa.org/page/Self-Service_Password_Reset> 
https://www.freeipa.org/page/Self-Service_Password_Reset

 

I feel we’re one step away from making this work. Is there a specific 
permission, aci, or other hoop to jump through to allow PWM to set a user’s 
password?

 

Regards,

 

Aaron Hicks

 

 

 

 

_______________________________________________
FreeIPA-users mailing list --  <mailto:freeipa-users@lists.fedorahosted.org> 
freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to  
<mailto:freeipa-users-le...@lists.fedorahosted.org> 
freeipa-users-le...@lists.fedorahosted.org

 

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to