Hey

When i tried change krbpasswordexpiration for test user i get this error

ipa user-mod test --setattr=krbPasswordExpiration=20381231011529Z

ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the
'krbPasswordExpiration' attribute of entry
'uid=test,cn=users,cn=accounts,dc=sf'.

I used kinit admin before. How  i can add permission for admin to edit
krbPasswordExpiration ?


On 09/25/2017 03:48 PM, Rob Crittenden via FreeIPA-users wrote:
> Michael Gusek via FreeIPA-users wrote:
>> Hey,
>>
>> you can try something like this:
>>
>> ipa user-find --sizelimit=0 | grep "Anmeldename:" | awk '{ print $2 }' |
>> xargs -i 'bash -c "echo password | ipa user-mod {} --passwd"'
>>
>> This will reset all passwords to password 'password'. Each user have to
>> login with new password and have to change that immediately. You can
>> expand one liner to exclude some accounts with
>>
>> ipa user-find --sizelimit=0 | grep "Anmeldename:" | grep -v "admin" |
>> grep -v "some_account" | awk ...
>>
>> "Anmeldename:" fits for an german locale, please change that for your
>> locale.
> Another option would be to collect the list of user in a similar way
> that Michael suggests and then change krbpasswordexpiration to something
> way in the past to expire the *current* password. Then users won't all
> have the same or similar password and/or you don't need to distribute
> new passwords to everyone.
>
> The thing is though you need to be Directory Manager to write that
> attribute so you'd collect all the userids and then you'd need to loop
> through them using ldapmodify to set a new value.
>
> rob
>
>> Micha
>>
>>
>> Am 25.09.2017 um 13:18 schrieb xattab--- via FreeIPA-users:
>>> Hi!
>>>
>>> I changed password police and i need force everyone (excluding one
>>> directory)  to change passwords.
>>>
>>>  How to implement it ?
>>> _______________________________________________
>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>>> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>>
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to