[Freeipa-users] REST/JSON API: Howto add a user that is not expired
Alexander Bokovoy
abokovoy at redhat.com
Wed Nov 11 15:13:14 UTC 2015
On Wed, 11 Nov 2015, Oliver Dörr wrote:
>Hi,
>
>i've tried user_mod instead because of https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/pwd-expiration.html
>and got
>
>Error-code: 2100
>Error-name: ACIError
>Error-msg: Insufficient access: Insufficient 'write' privilege to
>the 'krbPasswordExpiration' attribute of entry
>'uid=k812339,cn=users,cn=accounts,dc=kreditwerk,dc=de'.
>
>Inside the acces log of the LDAP Server I could see...
>
>[09/Nov/2015:18:40:31 +0100] conn=658 op=7 MOD
>dn="uid=k812339,cn=users,cn=accounts,dc=kreditwerk,dc=de"
>[09/Nov/2015:18:40:31 +0100] conn=658 op=7 RESULT err=50 tag=103
>nentries=0 etime=0
>
>So it looks like it is a permission issue. But I still have the
>problem when use admin to do the job. Any idea about how to change the
>permission or an API that it is able to do the job?
You simply cannot make it working for cases when a password change
coming from a non-user. This is intentional.
See http://www.freeipa.org/page/New_Passwords_Expired
You can do double change via LDAP password change (or Kerberos) where you changre a
password first to something temporary, then try to change it again as a
user with that temporary password and set a new one. Since the second
change would be done as a user, that should allow the change to happen
without raising a flag.
>
>Thanks in advance
>Oliver
>
>Am 11.11.2015 um 15:29 schrieb Oliver Dörr:
>>Hi,
>>
>>i'm still working with the JSON API and I now have the problem, that
>>I want to add a user with a not expired password. I've tried setattr
>>and addattr with the following JSON code, but both fail.
>>{"params":[[],{"givenname":"Oliver","userpassword":"start123","uid":"k812339","version":"2.151","addattr":"krbpasswordexpiration=20160207010919Z","cn":"Oliver
>>Support","sn":"Support"}],"id":0,"method":"user_add"}
>>
>>
>>{"params":[[],{"givenname":"Oliver","userpassword":"start123","uid":"k812339","version":"2.151","cn":"Oliver Support","setattr":"krbpasswordexpiration=20160207010919Z","sn":"Support"}],"id":0,"method":"user_add"}
>>
>>
>>
>>The user is added to IPA, but the user is still forced to change
>>it's password. In the response I could see that my
>>krbpasswordexpiration is ignored.
>>
>>Any ideas what I'm doing wrong?
>>
>>Thanks
>>Oliver
>>
>
>--
>Manage your subscription for the Freeipa-users mailing list:
>https://www.redhat.com/mailman/listinfo/freeipa-users
>Go to http://freeipa.org for more info on the project
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list