[Freeipa-users] REST/JSON API: Howto add a user that is not expired

Alexander Bokovoy abokovoy at redhat.com
Wed Nov 11 15:13:14 UTC 2015 

On Wed, 11 Nov 2015, Oliver Dörr wrote:
>Hi,
>
>i've tried user_mod instead because of https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/pwd-expiration.html 
>and got
>
>Error-code:    2100
>Error-name:    ACIError
>Error-msg:    Insufficient access: Insufficient 'write' privilege to 
>the 'krbPasswordExpiration' attribute of entry 
>'uid=k812339,cn=users,cn=accounts,dc=kreditwerk,dc=de'.
>
>Inside the acces log of the LDAP Server I could see...
>
>[09/Nov/2015:18:40:31 +0100] conn=658 op=7 MOD 
>dn="uid=k812339,cn=users,cn=accounts,dc=kreditwerk,dc=de"
>[09/Nov/2015:18:40:31 +0100] conn=658 op=7 RESULT err=50 tag=103 
>nentries=0 etime=0
>
>So it looks like it is a permission issue. But I still have the 
>problem when use admin to do the job. Any idea about how to change the 
>permission or an API that it is able to do the job?
You simply cannot make it working for cases when a password change
coming from a non-user. This is intentional.

See http://www.freeipa.org/page/New_Passwords_Expired

You can do double change via LDAP password change (or Kerberos) where you changre a
password first to something temporary, then try to change it again as a
user with that temporary password and set a new one. Since the second
change would be done as a user, that should allow the change to happen
without raising a flag. 

>
>Thanks in advance
>Oliver
>
>Am 11.11.2015 um 15:29 schrieb Oliver Dörr:
>>Hi,
>>
>>i'm still working with the JSON API and I now have the problem, that 
>>I want to add a user with a not expired password. I've tried setattr 
>>and addattr with the following JSON code, but both fail.
>>{"params":[[],{"givenname":"Oliver","userpassword":"start123","uid":"k812339","version":"2.151","addattr":"krbpasswordexpiration=20160207010919Z","cn":"Oliver 
>>Support","sn":"Support"}],"id":0,"method":"user_add"}
>>
>>
>>{"params":[[],{"givenname":"Oliver","userpassword":"start123","uid":"k812339","version":"2.151","cn":"Oliver Support","setattr":"krbpasswordexpiration=20160207010919Z","sn":"Support"}],"id":0,"method":"user_add"}
>>
>>
>>
>>The user is added to IPA, but the user is still forced to change 
>>it's password. In the response I could see that  my 
>>krbpasswordexpiration is ignored.
>>
>>Any ideas what I'm doing wrong?
>>
>>Thanks
>>Oliver
>>
>
>-- 
>Manage your subscription for the Freeipa-users mailing list:
>https://www.redhat.com/mailman/listinfo/freeipa-users
>Go to http://freeipa.org for more info on the project

-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list