Hi Florence,
thanks for your reply. The problem was that I've been trying to change the password of
an user who is am member of the 'admin' group.
It works just fine for ordinary users.
I'm going to create a dedicated user account for users who are going to have admin
privileges.
Thanks for your help,
Thomas
On Fri, 2018-10-19 at 10:27 +0200, Florence Blanc-Renaud wrote:
On 10/19/18 7:43 AM, Thomas Höll via FreeIPA-users wrote:
Hi All,
I've been building a password self service application which talks to
the FreeIPA REST API to reset a user's password. This is working
perfectly when I use the 'admin' user to perform the operation, but I
don't want to do that in production because of reasons.
So I've created a dedicated service account and assigned the role
'helpdesk' (I've also tried 'User Administrator'). I can perform
changes like modifying another user's email address, but I can't reset
the password.
The error is:
code=2100
message=Insufficient access: Insufficient 'write' privilege to the
'userPassword' attribute of entry 'uid=XXXXXXXXX'.
data={info=Insufficient 'write' privilege to the 'userPassword' attribute
of entry 'uid=tho,cn=users,cn=accounts,dc=ipa,dc=diges,dc=org'.}
name=ACIError
Any ideas?
Hi Thomas,
The 'helpdesk' role should be sufficient to reset another user's
password because it contains the privilege 'Modify Users and Reset
passwords' which in turns grants the permission 'System: Change User
password'.
I did the following and it's working:
(create a special user 'pwdchger' with helpdesk role)
# kinit admin
# ipa user-add pwdchger --first pwdchger --last pwdchger --password
# ipa role-add-member helpdesk --users pwdchger
(authenticate as this user and change another user's pwd)
# kinit pwdchger
# ipa user-mod test --password
Password:
Enter Password again to verify:
--------------------
Modified user "test"
--------------------
User login: test
First name: test
Last name: test
Home directory: /home/test
Login shell: /bin/sh
Principal name: test@DOMAIN.COM<mailto:test@DOMAIN.COM>
Principal alias: test@DOMAIN.COM<mailto:test@DOMAIN.COM>
Email address: test@domain.com<mailto:test@domain.com>
UID: 411000001
GID: 411000001
Account disabled: False
Password: True
Member of groups: ipausers
Kerberos keys available: True
#
(also working with ipa passwd)
# ipa passwd test
New Password:
Enter New Password again to verify:
------------------------------------------------------------------
Changed password for "test@DOMAIN.COM<mailto:test@DOMAIN.COM>"
------------------------------------------------------------------
If you are using the API, you should get the same result, provided that
the right user is authenticated. You can check in
/var/log/httpd/error_log which user is performing the call:
when pwdchger tries to change 'test' password:
ipa: INFO: [jsonserver_kerb] pwdchger@DOMAIN.COM<mailto:pwdchger@DOMAIN.COM>:
user_mod/1(u'test',
userpassword=u'********', version=u'2.229'): SUCCESS
or when test tries to change 'pwdchger' password:
ipa: INFO: [jsonserver_kerb] test@DOMAIN.COM<mailto:test@DOMAIN.COM>:
user_mod/1(u'pwdchger',
userpassword=u'********', version=u'2.229'): ACIError
HTH,
flo
Regards,
Thomas
_______________________________________________
FreeIPA-users mailing list --
freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>
To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org<mailto:freeipa-users-leave@lists.fedorahosted.org>
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
--
NeosIT GmbH
Wir schaffen IT, die die Welt ein Stück einfacher macht.
Schachtweg 1
38440 Wolfsburg
Tel. +49 5361 83494-23
Fax +49 5361 83494-94
mailto:thomas.hoell@neos-it.de<mailto:christoph.steindorff@neos-it.de>
http://www.neos-it.de/
Handelsregister: Amtsgericht Braunschweig, HRB 203557
Geschäftsführer: Sebastian Schier