I am deploying FreeIPA for the company I work for and it has been a good experience so far, apart from the fact that users can not reset their passwords throught the web UI.

Users use Firefox to log into their accounts, they can update their contact details just fine, but when they try to reset their passwords, they get "Insufficient access: Invalid credentials". At one point, I restarted FreeIPA and a couple of users were able to reset their passwords but the rest of them keep getting the same error. However, when users ssh to a Suse server running Krb5 against FreeIPA, the password change works either by getting the "password expired" notice or by running kpasswd. My guess is that I do something wrong in the user-creation procedure or that I missed something in the default policy that I should know.

I could get over this by just using ssh for password resets but I'm planning on activating business users' account in the near future and ssh is definitely out of the question. I should also point out that we're using FreeIPA only for authentication on servers (SSH, Jira, etc) but not on the desktop machines and I'm running FreeIPA 2.1.4-4 on Fedora16.

Any comments are appreciated.

Dimitris Tsompanidis

Freeipa-users mailing list

Reply via email to