[Freeipa-users] Reset password in WebUI: Insufficient access: Invalid credentials

Petr Vobornik pvoborni at redhat.com
Tue Mar 13 13:53:44 UTC 2012 

On 03/13/2012 02:26 PM, Simo Sorce wrote:
> On Tue, 2012-03-13 at 13:37 +0100, Dimitris Tsompanidis wrote:
>> Hi,
>>
>> I am deploying FreeIPA for the company I work for and it has been a good
>> experience so far, apart from the fact that users can not reset their
>> passwords throught the web UI.
>>
>> Users use Firefox to log into their accounts, they can update their
>> contact details just fine, but when they try to reset their passwords,
>> they get "Insufficient access: Invalid credentials".
>> At one point, I restarted FreeIPA and a couple of users were able to
>> reset their passwords but the rest of them keep getting the same error.
>> However, when users ssh to a Suse server running Krb5 against FreeIPA,
>> the password change works either by getting the "password expired"
>> notice or by running kpasswd.
>> My guess is that I do something wrong in the user-creation procedure or
>> that I missed something in the default policy that I should know.
>>
>> I could get over this by just using ssh for password resets but I'm
>> planning on activating business users' account in the near future and
>> ssh is definitely out of the question.
>> I should also point out that we're using FreeIPA only for authentication
>> on servers (SSH, Jira, etc) but not on the desktop machines and I'm
>> running FreeIPA 2.1.4-4 on Fedora16.
>>
>> Any comments are appreciated.
>
> Sorry Dimitris, unfortunately this is currently a limitation with our
> webUI, password changes on password expiration do not work through the
> webUI, and that's the default state when you create and give a first
> password to new users.
>
> Simo.
>
>

I'll just add, that user can change password in WebUI, but not after 
reset (as simo wrote).

In this case I think the message "Insufficient access: Invalid 
credentials" means that the password doesn't meet password policy 
requirements. It is a know bug in 2.1.x. It is fixed in 2.2.

https://fedorahosted.org/freeipa/ticket/2315
-- 
Petr Vobornik

More information about the Freeipa-users mailing list