On Wed, 2012-06-06 at 14:34 +0200, Willem Bos wrote:
> Hi Alexander,
> I did some experimenting with the example at
> and am now able to create a user using the following as input to curl (-d
> @user_add.json) :
> I'm left with two questions :
> - Is it possible to use a hashed password (as stored in the 'meta-IM')
> as a value for userpassword? And if so, will this propagate to the
> created Kerberos principal?
Nope, we need the clear text in order to generate the krb5 keys.
> - After creation, I'm forced to change the password when running
> `kinit test`. Is it possible to reset prevent the forced password
Yes, see: http://www.freeipa.org/page/PasswordSynchronization
> As a test, I tried to set the '-needchange' attribute using kadmin but
> that returned "... Insufficient access while modifying..."
This is not controlled by kadmin.
> I grepped the mailing list archives / API.txt / source code / etc. for
> clues but without success...
See above, it is really easy to create an agent with the right
Simo Sorce * Red Hat, Inc * New York
Freeipa-users mailing list