IPA requires users to change their passwords immediately

I am using IPA for authentication of RHEV-M.

I find that when I create a user account with

ipa useradd

the user has to change their password before they can log in to the User Portal.

I am not using IPA for anything other than authenticating RHEV-M.  If someone can recommend a way for users to change their passwords, that would be really helpful. 

One way that I have found for a user to change their password is for the user to ssh into the IPA server.  Then, after they enter their initial password, the user can change their password.  However, a web app for changing the password would be much better.