As I mentioned in my first mail, that doesn't work. For testing, I created a new role that contains the following privileges:
Group Administrators Modify Group membership Modify Users and Reset passwords User Administrators Unfortunately, I get the same error. On 4 August 2017 at 17:40, Bob Rentschler <bob.rentsch...@gmail.com> wrote: > Assigning roles to your userwill fix that issue. The existing "User > Administrator" role may fit your needs, but I am unsure how restrictive > you want to be with permissions. > > > If you want to be more restrictive a custom role with "System: Change User > password" permissions would seem to be the right way. > > Make a privilege that contains only that permission (and and other missing > permissions down the road) add it to a new role and then > assign that role to your user. > > > Bob > > On Fri, Aug 4, 2017 at 10:12 AM, Tiemen Ruiten via FreeIPA-users < > freeipa-users@lists.fedorahosted.org> wrote: > >> Hello, >> >> I setup an LDAP User Federation in Keycloak to our FreeIPA domain. >> Unfortunately, the password reset functionality appears to only work when >> the user Keycloak binds as is in the admins group. I tried both the User >> Administrator and helpdesk roles, but always got this error: >> >> Caused by: javax.naming.NoPermissionException: [LDAP: error code 50 - >> Insufficient 'write' privilege to the 'userPassword' attribute of entry >> 'uid=xxxxx,cn=users,cn=accounts,dc=example,dc=com' >> >> Is there a way to allow password resets without adding the keycloak bind >> user to the admins group? >> >> >> -- >> Tiemen Ruiten >> Systems Engineer >> R&D Media >> >> _______________________________________________ >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >> To unsubscribe send an email to freeipa-users-le...@lists.fedo >> rahosted.org >> >> > -- Tiemen Ruiten Systems Engineer R&D Media
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org