Hello Everyone,
I'm testing out a FreeIPA password reset app and was wondering about its use of an API call to reset the user's password.
api.Command.user_mod(uid=unicode(uid), userpassword=unicode(password))
api.Command.user_mod(uid=unicode(uid), setattr=unicode("krbPasswordExpiration={0}".format(date)))
When using the API, do you need to manually set the password expiration date?
The reason I ask is because while testing, that code raises an exception with the error message "Insufficient access: Insufficient 'write' privilege to the 'krbPasswordExpiration' attribute of entry 'uid=test,cn=users,cn=accounts,dc=dev,dc=example,dc=net'."
I checked the permission "System: Change User Password" and it doesn't include krbPasswordExpiration as a writable attribute.
I know that if you use ldapmodify to manually set the user's password, you do need to also modify the krbPasswordExpiration attribute, but I wasn't sure when modifying via the IPA API.
I hope this makes sense, thank you to everyone who answers questions on this list, you really positively impact the open source community!
Many Thanks,
Anthony