[Freeipa-users] Reset password in WebUI: Insufficient access: Invalid credentials

[Dimitris Tsompanidis]

Hi,

I am deploying FreeIPA for the company I work for and it has been a good 
experience so far, apart from the fact that users can not reset their 
passwords throught the web UI.

Users use Firefox to log into their accounts, they can update their 
contact details just fine, but when they try to reset their passwords, 
they get "Insufficient access: Invalid credentials".
At one point, I restarted FreeIPA and a couple of users were able to 
reset their passwords but the rest of them keep getting the same error.
However, when users ssh to a Suse server running Krb5 against FreeIPA, 
the password change works either by getting the "password expired" 
notice or by running kpasswd.
My guess is that I do something wrong in the user-creation procedure or 
that I missed something in the default policy that I should know.

I could get over this by just using ssh for password resets but I'm 
planning on activating business users' account in the near future and 
ssh is definitely out of the question.
I should also point out that we're using FreeIPA only for authentication 
on servers (SSH, Jira, etc) but not on the desktop machines and I'm 
running FreeIPA 2.1.4-4 on Fedora16.

Any comments are appreciated.

-- 
Dimitris Tsompanidis