[Freeipa-users] REST/JSON API: Howto add a user that is not expired
Petr Vobornik
pvoborni at redhat.com
Thu Nov 12 12:29:43 UTC 2015
On 11/11/2015 04:13 PM, Alexander Bokovoy wrote:
> On Wed, 11 Nov 2015, Oliver Dörr wrote:
>> Hi,
>>
>> i've tried user_mod instead because of
>> https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/pwd-expiration.html
>> and got
>>
>> Error-code: 2100
>> Error-name: ACIError
>> Error-msg: Insufficient access: Insufficient 'write' privilege to
>> the 'krbPasswordExpiration' attribute of entry
>> 'uid=k812339,cn=users,cn=accounts,dc=kreditwerk,dc=de'.
>>
>> Inside the acces log of the LDAP Server I could see...
>>
>> [09/Nov/2015:18:40:31 +0100] conn=658 op=7 MOD
>> dn="uid=k812339,cn=users,cn=accounts,dc=kreditwerk,dc=de"
>> [09/Nov/2015:18:40:31 +0100] conn=658 op=7 RESULT err=50 tag=103
>> nentries=0 etime=0
>>
>> So it looks like it is a permission issue. But I still have the
>> problem when use admin to do the job. Any idea about how to change the
>> permission or an API that it is able to do the job?
> You simply cannot make it working for cases when a password change
> coming from a non-user. This is intentional.
>
> See http://www.freeipa.org/page/New_Passwords_Expired
>
> You can do double change via LDAP password change (or Kerberos) where
> you changre a
> password first to something temporary, then try to change it again as a
> user with that temporary password and set a new one. Since the second
> change would be done as a user, that should allow the change to happen
> without raising a flag.
You can use ipa/session/change_password call for that. With
Content-Type:application/x-www-form-urlencoded
and e.g.:
user:bbar
old_password:a
new_password:b
Web UI uses it when user with expired password is resetting his pw. So
you can check the communication in browser network tab.
>>
>> Thanks in advance
>> Oliver
>>
>> Am 11.11.2015 um 15:29 schrieb Oliver Dörr:
>>> Hi,
>>>
>>> i'm still working with the JSON API and I now have the problem, that
>>> I want to add a user with a not expired password. I've tried setattr
>>> and addattr with the following JSON code, but both fail.
>>> {"params":[[],{"givenname":"Oliver","userpassword":"start123","uid":"k812339","version":"2.151","addattr":"krbpasswordexpiration=20160207010919Z","cn":"Oliver
>>> Support","sn":"Support"}],"id":0,"method":"user_add"}
>>>
>>>
>>> {"params":[[],{"givenname":"Oliver","userpassword":"start123","uid":"k812339","version":"2.151","cn":"Oliver
>>> Support","setattr":"krbpasswordexpiration=20160207010919Z","sn":"Support"}],"id":0,"method":"user_add"}
>>>
>>>
>>>
>>>
>>> The user is added to IPA, but the user is still forced to change it's
>>> password. In the response I could see that my krbpasswordexpiration
>>> is ignored.
>>>
>>> Any ideas what I'm doing wrong?
>>>
>>> Thanks
>>> Oliver
>>>
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>
--
Petr Vobornik
More information about the Freeipa-users
mailing list