On 11/11/2015 04:13 PM, Alexander Bokovoy wrote:
On Wed, 11 Nov 2015, Oliver Dörr wrote:
Hi,

i've tried user_mod instead because of
https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/pwd-expiration.html
and got

Error-code:    2100
Error-name:    ACIError
Error-msg:    Insufficient access: Insufficient 'write' privilege to
the 'krbPasswordExpiration' attribute of entry
'uid=k812339,cn=users,cn=accounts,dc=kreditwerk,dc=de'.

Inside the acces log of the LDAP Server I could see...

[09/Nov/2015:18:40:31 +0100] conn=658 op=7 MOD
dn="uid=k812339,cn=users,cn=accounts,dc=kreditwerk,dc=de"
[09/Nov/2015:18:40:31 +0100] conn=658 op=7 RESULT err=50 tag=103
nentries=0 etime=0

So it looks like it is a permission issue. But I still have the
problem when use admin to do the job. Any idea about how to change the
permission or an API that it is able to do the job?
You simply cannot make it working for cases when a password change
coming from a non-user. This is intentional.

See http://www.freeipa.org/page/New_Passwords_Expired

You can do double change via LDAP password change (or Kerberos) where
you changre a
password first to something temporary, then try to change it again as a
user with that temporary password and set a new one. Since the second
change would be done as a user, that should allow the change to happen
without raising a flag.

You can use ipa/session/change_password call for that. With

Content-Type:application/x-www-form-urlencoded

and e.g.:

user:bbar
old_password:a
new_password:b

Web UI uses it when user with expired password is resetting his pw. So you can check the communication in browser network tab.



Thanks in advance
Oliver

Am 11.11.2015 um 15:29 schrieb Oliver Dörr:
Hi,

i'm still working with the JSON API and I now have the problem, that
I want to add a user with a not expired password. I've tried setattr
and addattr with the following JSON code, but both fail.
{"params":[[],{"givenname":"Oliver","userpassword":"start123","uid":"k812339","version":"2.151","addattr":"krbpasswordexpiration=20160207010919Z","cn":"Oliver
Support","sn":"Support"}],"id":0,"method":"user_add"}


{"params":[[],{"givenname":"Oliver","userpassword":"start123","uid":"k812339","version":"2.151","cn":"Oliver
Support","setattr":"krbpasswordexpiration=20160207010919Z","sn":"Support"}],"id":0,"method":"user_add"}




The user is added to IPA, but the user is still forced to change it's
password. In the response I could see that  my krbpasswordexpiration
is ignored.

Any ideas what I'm doing wrong?

Thanks
Oliver


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project



--
Petr Vobornik

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to