Tiemen Ruiten wrote:
> Hello,
> 
> Sorry for the late reply. This is the latest FreeIPA version in CentOS
> 7.3 (4.4.0-14). 
> 
> Indeed the helpdesk role should be sufficient. I tried with the User
> Administrator role as well, but that made no difference. Since it's
> working for you, it's likely a config error, but I have no idea where to
> look at this point. Do you have any pointers?

I'd start with something simple:

$ ipa user-show --all --raw <the keycloak user>

This will show all memberships, included those nested in roles. Ensure
that the "Change user password" is included.

Debugging ACIs at a lower level isn't fun but it's possible.

rob

> 
> On 4 August 2017 at 19:19, Rob Crittenden <rcrit...@redhat.com
> <mailto:rcrit...@redhat.com>> wrote:
> 
>     Tiemen Ruiten via FreeIPA-users wrote:
>     > As I mentioned in my first mail, that doesn't work. For testing, I
>     > created a new role that contains the following privileges:
>     >
>     > Group Administrators
>     > Modify Group membership
>     > Modify Users and Reset passwords
>     > User Administrators
>     >
>     > Unfortunately, I get the same error.
> 
>     What version of IPA is this? The helpdesk role should be sufficient (and
>     works for me).
> 
>     rob
> 
>     >
>     > On 4 August 2017 at 17:40, Bob Rentschler <bob.rentsch...@gmail.com 
> <mailto:bob.rentsch...@gmail.com>
>     > <mailto:bob.rentsch...@gmail.com <mailto:bob.rentsch...@gmail.com>>> 
> wrote:
>     >
>     >     Assigning roles to your userwill fix that issue. The existing "User
>     >     Administrator" role may fit your needs, but I am unsure how 
> restrictive
>     >     you want to be with permissions.
>     >
>     >
>     >     If you want to be more restrictive a custom role with "System:
>     >     Change User password" permissions would seem to be the right way.
>     >
>     >     Make a privilege that contains only that permission (and and other
>     >     missing permissions down the road) add it to a new role and then
>     >     assign that role to your user.
>     >
>     >
>     >     Bob
>     >
>     >     On Fri, Aug 4, 2017 at 10:12 AM, Tiemen Ruiten via FreeIPA-users
>     >     <freeipa-users@lists.fedorahosted.org
>     <mailto:freeipa-users@lists.fedorahosted.org>
>     >     <mailto:freeipa-users@lists.fedorahosted.org
>     <mailto:freeipa-users@lists.fedorahosted.org>>> wrote:
>     >
>     >         Hello,
>     >
>     >         I setup an LDAP User Federation in Keycloak to our FreeIPA
>     >         domain. Unfortunately, the password reset functionality appears
>     >         to only work when the user Keycloak binds as is in the admins
>     >         group. I tried both the User Administrator and helpdesk roles,
>     >         but always got this error:
>     >
>     >         Caused by: javax.naming.NoPermissionException: [LDAP: error code
>     >         50 - Insufficient 'write' privilege to the 'userPassword'
>     >         attribute of entry
>     >         'uid=xxxxx,cn=users,cn=accounts,dc=example,dc=com'
>     >
>     >         Is there a way to allow password resets without adding the
>     >         keycloak bind user to the admins group?
>     >
>     >
>     >         --
>     >         Tiemen Ruiten
>     >         Systems Engineer
>     >         R&D Media
>     >
>     >         _______________________________________________
>     >         FreeIPA-users mailing list --
>     >         freeipa-users@lists.fedorahosted.org
>     <mailto:freeipa-users@lists.fedorahosted.org>
>     >         <mailto:freeipa-users@lists.fedorahosted.org
>     <mailto:freeipa-users@lists.fedorahosted.org>>
>     >         To unsubscribe send an email to
>     >         freeipa-users-le...@lists.fedorahosted.org
>     <mailto:freeipa-users-le...@lists.fedorahosted.org>
>     >         <mailto:freeipa-users-le...@lists.fedorahosted.org
>     <mailto:freeipa-users-le...@lists.fedorahosted.org>>
>     >
>     >
>     >
>     >
>     >
>     > --
>     > Tiemen Ruiten
>     > Systems Engineer
>     > R&D Media
>     >
>     >
>     > _______________________________________________
>     > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>     <mailto:freeipa-users@lists.fedorahosted.org>
>     > To unsubscribe send an email to
>     freeipa-users-le...@lists.fedorahosted.org
>     <mailto:freeipa-users-le...@lists.fedorahosted.org>
>     >
> 
> 
> 
> 
> -- 
> Tiemen Ruiten
> Systems Engineer
> R&D Media
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to