Hello Everyone,

I'm testing out a FreeIPA password reset app and was wondering about its use of an API call to reset the user's password.

The code in question is at https://github.com/larrabee/freeipa-password-reset/blob/master/PasswordReset/app/pwdmanager.py and it's at line 61/62:

api.Command.user_mod(uid=unicode(uid), userpassword=unicode(password))
api.Command.user_mod(uid=unicode(uid), setattr=unicode("krbPasswordExpiration={0}".format(date)))

When using the API, do you need to manually set the password expiration date?

The reason I ask is because while testing, that code raises an exception with the error message "Insufficient access: Insufficient 'write' privilege to the 'krbPasswordExpiration' attribute of entry 'uid=test,cn=users,cn=accounts,dc=dev,dc=example,dc=net'."

I checked the permission "System: Change User Password" and it doesn't include krbPasswordExpiration as a writable attribute.

I know that if you use ldapmodify to manually set the user's password, you do need to also modify the krbPasswordExpiration attribute, but I wasn't sure when modifying via the IPA API.

I hope this makes sense, thank you to everyone who answers questions on this list, you really positively impact the open source community!

Many Thanks,

Anthony