Assigning roles to your userwill fix that issue. The existing "User
Administrator" role may fit your needs, but I am unsure how restrictive
you want to be with permissions.

If you want to be more restrictive a custom role with "System: Change User
password" permissions would seem to be the right way.

Make a privilege that contains only that permission (and and other missing
permissions down the road) add it to a new role and then
assign that role to your user.


On Fri, Aug 4, 2017 at 10:12 AM, Tiemen Ruiten via FreeIPA-users <> wrote:

> Hello,
> I setup an LDAP User Federation in Keycloak to our FreeIPA domain.
> Unfortunately, the password reset functionality appears to only work when
> the user Keycloak binds as is in the admins group. I tried both the User
> Administrator and helpdesk roles, but always got this error:
> Caused by: javax.naming.NoPermissionException: [LDAP: error code 50 -
> Insufficient 'write' privilege to the 'userPassword' attribute of entry
> 'uid=xxxxx,cn=users,cn=accounts,dc=example,dc=com'
> Is there a way to allow password resets without adding the keycloak bind
> user to the admins group?
> --
> Tiemen Ruiten
> Systems Engineer
> R&D Media
> _______________________________________________
> FreeIPA-users mailing list --
> To unsubscribe send an email to
FreeIPA-users mailing list --
To unsubscribe send an email to

Reply via email to