On 03/13/2012 02:26 PM, Simo Sorce wrote:
On Tue, 2012-03-13 at 13:37 +0100, Dimitris Tsompanidis wrote:
I am deploying FreeIPA for the company I work for and it has been a good
experience so far, apart from the fact that users can not reset their
passwords throught the web UI.
Users use Firefox to log into their accounts, they can update their
contact details just fine, but when they try to reset their passwords,
they get "Insufficient access: Invalid credentials".
At one point, I restarted FreeIPA and a couple of users were able to
reset their passwords but the rest of them keep getting the same error.
However, when users ssh to a Suse server running Krb5 against FreeIPA,
the password change works either by getting the "password expired"
notice or by running kpasswd.
My guess is that I do something wrong in the user-creation procedure or
that I missed something in the default policy that I should know.
I could get over this by just using ssh for password resets but I'm
planning on activating business users' account in the near future and
ssh is definitely out of the question.
I should also point out that we're using FreeIPA only for authentication
on servers (SSH, Jira, etc) but not on the desktop machines and I'm
running FreeIPA 2.1.4-4 on Fedora16.
Any comments are appreciated.
Sorry Dimitris, unfortunately this is currently a limitation with our
webUI, password changes on password expiration do not work through the
webUI, and that's the default state when you create and give a first
password to new users.
I'll just add, that user can change password in WebUI, but not after
reset (as simo wrote).
In this case I think the message "Insufficient access: Invalid
credentials" means that the password doesn't meet password policy
requirements. It is a know bug in 2.1.x. It is fixed in 2.2.
Freeipa-users mailing list