Some further information: This is CentOS 7, with standard RPMs, version
4.4.0-14. I'm unable to update because of a convoluted proxy setup to allow
users to change their passwords from a particular location.
Even running the code mentioned previously under the admin keytab will
still throw the error about insufficient write privileges to
krbPasswordExpiration attribute.
To help me troubleshoot, is there a way to tell which permissions apply to
the krbPasswordExpiration attribute in
the cn=users,cn=accounts,dc=dev,dc=example,dc=net subtree?
Thanks,
Anthony
On Wed, Mar 27, 2019 at 11:05 AM Anthony Jarvis-Clark <
anthonyclarka2(a)gmail.com> wrote:
Hello Everyone,
I'm testing out a FreeIPA password reset app and was wondering about its
use of an API call to reset the user's password.
The code in question is at
https://github.com/larrabee/freeipa-password-reset/blob/master/PasswordRe...
and
it's at line 61/62:
api.Command.user_mod(uid=unicode(uid), userpassword=unicode(password))
api.Command.user_mod(uid=unicode(uid),
setattr=unicode("krbPasswordExpiration={0}".format(date)))
When using the API, do you need to manually set the password expiration
date?
The reason I ask is because while testing, that code raises an exception
with the error message "Insufficient access: Insufficient 'write' privilege
to the 'krbPasswordExpiration' attribute of entry
'uid=test,cn=users,cn=accounts,dc=dev,dc=example,dc=net'."
I checked the permission "System: Change User Password" and it doesn't
include krbPasswordExpiration as a writable attribute.
I know that if you use ldapmodify to manually set the user's password, you
do need to also modify the krbPasswordExpiration attribute, but I wasn't
sure when modifying via the IPA API.
I hope this makes sense, thank you to everyone who answers questions on
this list, you really positively impact the open source community!
Many Thanks,
Anthony