Hi Florence, thanks for your reply. The problem was that I've been trying to change the password of an user who is am member of the 'admin' group. It works just fine for ordinary users. I'm going to create a dedicated user account for users who are going to have admin privileges. Thanks for your help, Thomas On Fri, 2018-10-19 at 10:27 +0200, Florence Blanc-Renaud wrote: On 10/19/18 7:43 AM, Thomas Höll via FreeIPA-users wrote: Hi All, I've been building a password self service application which talks to the FreeIPA REST API to reset a user's password. This is working perfectly when I use the 'admin' user to perform the operation, but I don't want to do that in production because of reasons. So I've created a dedicated service account and assigned the role 'helpdesk' (I've also tried 'User Administrator'). I can perform changes like modifying another user's email address, but I can't reset the password. The error is: code=2100 message=Insufficient access: Insufficient 'write' privilege to the 'userPassword' attribute of entry 'uid=XXXXXXXXX'. data={info=Insufficient 'write' privilege to the 'userPassword' attribute of entry 'uid=tho,cn=users,cn=accounts,dc=ipa,dc=diges,dc=org'.} name=ACIError Any ideas? Hi Thomas, The 'helpdesk' role should be sufficient to reset another user's password because it contains the privilege 'Modify Users and Reset passwords' which in turns grants the permission 'System: Change User password'. I did the following and it's working: (create a special user 'pwdchger' with helpdesk role) # kinit admin # ipa user-add pwdchger --first pwdchger --last pwdchger --password # ipa role-add-member helpdesk --users pwdchger (authenticate as this user and change another user's pwd) # kinit pwdchger # ipa user-mod test --password Password: Enter Password again to verify: -------------------- Modified user "test" -------------------- User login: test First name: test Last name: test Home directory: /home/test Login shell: /bin/sh Principal name: test@DOMAIN.COM<mailto:test@DOMAIN.COM> Principal alias: test@DOMAIN.COM<mailto:test@DOMAIN.COM> Email address: test@domain.com<mailto:test@domain.com> UID: 411000001 GID: 411000001 Account disabled: False Password: True Member of groups: ipausers Kerberos keys available: True # (also working with ipa passwd) # ipa passwd test New Password: Enter New Password again to verify: ------------------------------------------------------------------ Changed password for "test@DOMAIN.COM<mailto:test@DOMAIN.COM>" ------------------------------------------------------------------ If you are using the API, you should get the same result, provided that the right user is authenticated. You can check in /var/log/httpd/error_log which user is performing the call: when pwdchger tries to change 'test' password: ipa: INFO: [jsonserver_kerb] pwdchger@DOMAIN.COM<mailto:pwdchger@DOMAIN.COM>: user_mod/1(u'test', userpassword=u'********', version=u'2.229'): SUCCESS or when test tries to change 'pwdchger' password: ipa: INFO: [jsonserver_kerb] test@DOMAIN.COM<mailto:test@DOMAIN.COM>: user_mod/1(u'pwdchger', userpassword=u'********', version=u'2.229'): ACIError HTH, flo Regards, Thomas _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org<mailto:freeipa-users-leave@lists.fedorahosted.org> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... -- NeosIT GmbH Wir schaffen IT, die die Welt ein Stück einfacher macht. Schachtweg 1 38440 Wolfsburg Tel. +49 5361 83494-23 Fax +49 5361 83494-94 mailto:thomas.hoell@neos-it.de<mailto:christoph.steindorff@neos-it.de> http://www.neos-it.de/ Handelsregister: Amtsgericht Braunschweig, HRB 203557 Geschäftsführer: Sebastian Schier