I am deploying FreeIPA for the company I work for and it has been a good
experience so far, apart from the fact that users can not reset their
passwords throught the web UI.
Users use Firefox to log into their accounts, they can update their
contact details just fine, but when they try to reset their passwords,
they get "Insufficient access: Invalid credentials".
At one point, I restarted FreeIPA and a couple of users were able to
reset their passwords but the rest of them keep getting the same error.
However, when users ssh to a Suse server running Krb5 against FreeIPA,
the password change works either by getting the "password expired"
notice or by running kpasswd.
My guess is that I do something wrong in the user-creation procedure or
that I missed something in the default policy that I should know.
I could get over this by just using ssh for password resets but I'm
planning on activating business users' account in the near future and
ssh is definitely out of the question.
I should also point out that we're using FreeIPA only for authentication
on servers (SSH, Jira, etc) but not on the desktop machines and I'm
running FreeIPA 2.1.4-4 on Fedora16.
Any comments are appreciated.
Freeipa-users mailing list