Hello the FreeIPA List,

So as using the FreeIPA API and using LDAP directly to set existing users passwords (because they don’t yet have one) didn’t work, we’ve set up PWM by mostly following this gist: https://gist.github.com/PowerWagon/d794a1233d7943f1614d2ae5223e678a

This has worked, and users with existing passwords can log in an manage their passwords. We are not using it to create user accounts. However we have some users who do not have passwords, so they can’t provide a current password to do a password change.

We have a page on our customer management system that allows users with no password to enter a password and this is sent to the PWM REST interface to set the user’s password in FreeIPA. The user is not new, they just have no password set. There’s a couple of thousand of them, so we’re really keen on self service.

However when we send a password reset request to the PWM REST with the setpassword command (using the pwmproxy user credentials) we get the following response:

{"error":true,"errorCode":5027,"errorMessage":"You do not have permission to perform the requested action."}

We’ve tried making the pwmproxy user a admin, and have giving them permission to change users passwords with the System: Change User password  permission, however this gives the same response. I’d prefer not to give the pwmproxy account admin, but we need this to work. We’ve also tried using the admin account with the same results, we’d prefer to use an API key but have not yet managed to authenticate with one.

I’m asking here as PWM is recommended by FreeIPA as a suitable 3^rd Party project https://www.freeipa.org/page/Self-Service_Password_Reset

I feel we’re one step away from making this work. Is there a specific permission, aci, or other hoop to jump through to allow PWM to set a user’s password?

Regards,

Aaron Hicks