Hello Everyone,
I'm testing out a FreeIPA password reset app and was wondering about its use of an API call to reset the user's password.
The code in question is at https://github.com/larrabee/freeipa-password-reset/blob/master/PasswordReset... and it's at line 61/62:
api.Command.user_mod(uid=unicode(uid), userpassword=unicode(password)) api.Command.user_mod(uid=unicode(uid), setattr=unicode("krbPasswordExpiration={0}".format(date)))
When using the API, do you need to manually set the password expiration date?
The reason I ask is because while testing, that code raises an exception with the error message "Insufficient access: Insufficient 'write' privilege to the 'krbPasswordExpiration' attribute of entry 'uid=test,cn=users,cn=accounts,dc=dev,dc=example,dc=net'."
I checked the permission "System: Change User Password" and it doesn't include krbPasswordExpiration as a writable attribute.
I know that if you use ldapmodify to manually set the user's password, you do need to also modify the krbPasswordExpiration attribute, but I wasn't sure when modifying via the IPA API.
I hope this makes sense, thank you to everyone who answers questions on this list, you really positively impact the open source community!
Many Thanks,
Anthony
Some further information: This is CentOS 7, with standard RPMs, version 4.4.0-14. I'm unable to update because of a convoluted proxy setup to allow users to change their passwords from a particular location.
Even running the code mentioned previously under the admin keytab will still throw the error about insufficient write privileges to krbPasswordExpiration attribute.
To help me troubleshoot, is there a way to tell which permissions apply to the krbPasswordExpiration attribute in the cn=users,cn=accounts,dc=dev,dc=example,dc=net subtree?
Thanks,
Anthony
On Wed, Mar 27, 2019 at 11:05 AM Anthony Jarvis-Clark < anthonyclarka2@gmail.com> wrote:
Hello Everyone,
I'm testing out a FreeIPA password reset app and was wondering about its use of an API call to reset the user's password.
The code in question is at https://github.com/larrabee/freeipa-password-reset/blob/master/PasswordReset... and it's at line 61/62:
api.Command.user_mod(uid=unicode(uid), userpassword=unicode(password)) api.Command.user_mod(uid=unicode(uid), setattr=unicode("krbPasswordExpiration={0}".format(date)))
When using the API, do you need to manually set the password expiration date?
The reason I ask is because while testing, that code raises an exception with the error message "Insufficient access: Insufficient 'write' privilege to the 'krbPasswordExpiration' attribute of entry 'uid=test,cn=users,cn=accounts,dc=dev,dc=example,dc=net'."
I checked the permission "System: Change User Password" and it doesn't include krbPasswordExpiration as a writable attribute.
I know that if you use ldapmodify to manually set the user's password, you do need to also modify the krbPasswordExpiration attribute, but I wasn't sure when modifying via the IPA API.
I hope this makes sense, thank you to everyone who answers questions on this list, you really positively impact the open source community!
Many Thanks,
Anthony
Anthony Jarvis-Clark via FreeIPA-users wrote:
Some further information: This is CentOS 7, with standard RPMs, version 4.4.0-14. I'm unable to update because of a convoluted proxy setup to allow users to change their passwords from a particular location.
Even running the code mentioned previously under the admin keytab will still throw the error about insufficient write privileges to krbPasswordExpiration attribute.
To help me troubleshoot, is there a way to tell which permissions apply to the krbPasswordExpiration attribute in the cn=users,cn=accounts,dc=dev,dc=example,dc=net subtree?
The permissions depend on the bound user but there are is no write access to any user by default for this attribute. This is part of https://www.freeipa.org/page/New_Passwords_Expired
rob
Thanks,
Anthony
On Wed, Mar 27, 2019 at 11:05 AM Anthony Jarvis-Clark <anthonyclarka2@gmail.com mailto:anthonyclarka2@gmail.com> wrote:
Hello Everyone, I'm testing out a FreeIPA password reset app and was wondering about its use of an API call to reset the user's password. The code in question is at https://github.com/larrabee/freeipa-password-reset/blob/master/PasswordReset/app/pwdmanager.py and it's at line 61/62: api.Command.user_mod(uid=unicode(uid), userpassword=unicode(password)) api.Command.user_mod(uid=unicode(uid), setattr=unicode("krbPasswordExpiration={0}".format(date))) When using the API, do you need to manually set the password expiration date? The reason I ask is because while testing, that code raises an exception with the error message "Insufficient access: Insufficient 'write' privilege to the 'krbPasswordExpiration' attribute of entry 'uid=test,cn=users,cn=accounts,dc=dev,dc=example,dc=net'." I checked the permission "System: Change User Password" and it doesn't include krbPasswordExpiration as a writable attribute. I know that if you use ldapmodify to manually set the user's password, you do need to also modify the krbPasswordExpiration attribute, but I wasn't sure when modifying via the IPA API. I hope this makes sense, thank you to everyone who answers questions on this list, you really positively impact the open source community! Many Thanks, Anthony
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
freeipa-users@lists.fedorahosted.org
-
Anthony Jarvis-Clark -
Rob Crittenden