I've created a basic activation/reset UI based on the "migration UI" code that I believe minimally provides the requested functionally. Turns out I also have a use case for this!

I've dubbed it the "activation UI". It works very similarly to the migration UI in that a page is presented which requests username, password, new password and confirmation then binds to LDAP and issues an LDAPObject.passwd_s(dn,old,new) command after some very basic validation. Some (inadequate) reporting is then provided based on the outcome (success, invalid, error).

I've confirmed that this process properly changes userPassword, the Kerberos hash(es?) as well as sambaNTPassword (when Samba integration is enabled) as a newly created account with expired password can be run through the activation UI and the newly selected password then provides access to SSH, the web UI, LDAP binds and Samba.

It is also possible to use this UI to perform a simple password change/reset via the web.

I do not know if the password policy is enforced via this password change method but it appears to be (although I'm not catching the right exception yet it seems...).

Some notes:

- I developed this against ipa-server-2.0.0-23.el6_1.1.x86_64
- I looks like the migration UI has seen some updates between 2.0.0-23.el6_1.1 and freeipa-2.1.3 and it now uses get_ipa_basedn() from ipapython.ipautil to get the LDAP base DN instead of doing a direct ldap_search_ext_s() call. No big deal but since my version is older and doesn't have get_ipa_basedn() available, the activation UI code uses the old method for finding the base DN.
- It appears as though some of the HTML/CSS from migration UI is broken and/or incomplete when compared to the web UI. The activation UI carries most of this over for better or worse.

I would like to contribute the code back to FreeIPA in one form or another. What's the best way of doing that? A diff against freeipa-2.1.3? A tarball + instructions?

Thank you! You contribution is really appreciated!

Please rebase the patch against master and send the patch in a diff format to the freeipa-devel@redhat.com for review. If it contains several logical pieces of code it might be better to split it into multiple patches for easier review and testing.

We switched to get_ipa_basedn() to support the case where anonymous bind is disabled in 389-ds.

A diff against the git master or ipa-2-1 branch is preferred. I'm assuming that all of this is contained in a single file, we can probably accept that if you are unfamiliar with git. This just may delay the review.

I'll follow the proper way of submitting patches, the information on doing so is available after all (I just found it by browsing the main site). I will also update the code to use get_ipa_basedn().

I'll see what I can do to spin up a VM and test the code against ipa-2-1 branch. I have a feeling some of the CSS issues I'm seeing might be resolved if I'm running all the latest 2-1 branch code and I don't really want to submit untested code.

FreeIPA team reviewed recent request for a self-service password reset functionality and decided not to implement the feature to be part of core FreeIPA. Self-service password reset solutions do not meet the level of security required by FreeIPA and we would rather like to see it as a 3rd party integration projects.

A wiki page with full reasoning can be found at our wiki:
http://www.freeipa.org/page/Self-Service_Password_Reset