I can’t help with PWM, but I can say that I have a self-service web app that does “ipa passwd” to change user passwords. It works fine, though the principal it uses has to be registered specially if you don’t want the user to be forced to change password the first time they login.

The following sets things so that when hedrick.admin or http/services.cs.rutgers.edu change passwords, they don’t need to be changed a second time.

dn: cn=ipa_pwd_extop,cn=plugins,cn=config
changetype: modify
add:passSyncManagersDNs
passSyncManagersDNs: uid=hedrick.admin,cn=users,cn=accounts,dc=cs,dc=rutgers,dc=edu
passsyncmanagersdns: krbprincipalname=http/services.cs.rutgers.edu@CS.RUTGERS.
 EDU,cn=services,cn=accounts,dc=cs,dc=rutgers,dc=edu

To find the dn of the http service principal, do

ipa service-show PRINCIPAL —all

and look for the DN.

Note that a user with password change privs can’t change the password of anyone in group admins. That caused some head scratching when I tried to test the application on myself.

We found one other oddity: if a user has an expiration date for their principal (not the password, the principal), and we changed their password, the password ended up with an expiration date before the last change date, and is not usable. I conjecture that this occurs if the password expiration is set beyond the principal expiration, but I haven’t checked enough to verify that. We fixed it by removing the principal expiration.


On Nov 14, 2017, at 11:09 PM, Aaron Hicks via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:

Hello the FreeIPA List,
 
So as using the FreeIPA API and using LDAP directly to set existing users passwords (because they don’t yet have one) didn’t work, we’ve set up PWM by mostly following this gist: https://gist.github.com/PowerWagon/d794a1233d7943f1614d2ae5223e678a
 
This has worked, and users with existing passwords can log in an manage their passwords. We are not using it to create user accounts. However we have some users who do not have passwords, so they can’t provide a current password to do a password change.
 
We have a page on our customer management system that allows users with no password to enter a password and this is sent to the PWM REST interface to set the user’s password in FreeIPA. The user is not new, they just have no password set. There’s a couple of thousand of them, so we’re really keen on self service.
 
However when we send a password reset request to the PWM REST with the setpassword command (using the pwmproxy user credentials) we get the following response:
 
{"error":true,"errorCode":5027,"errorMessage":"You do not have permission to perform the requested action."}
 
We’ve tried making the pwmproxy user a admin, and have giving them permission to change users passwords with the System: Change User password  permission, however this gives the same response. I’d prefer not to give the pwmproxy account admin, but we need this to work. We’ve also tried using the admin account with the same results, we’d prefer to use an API key but have not yet managed to authenticate with one.
 
I’m asking here as PWM is recommended by FreeIPA as a suitable 3rd Party project https://www.freeipa.org/page/Self-Service_Password_Reset
 
I feel we’re one step away from making this work. Is there a specific permission, aci, or other hoop to jump through to allow PWM to set a user’s password?
 
Regards,
 
Aaron Hicks
 
 
 
 
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org