It relies on the Kerberos TGT you currently have. I assume you log into the UI as admin but on the cli you have a ticket for yourself.
Use klist to find out To become admin: kinit admin rob Philippe de Rochambeau wrote: > Hi Rob, > I’m not at work anymore. > How do you find out which credentials you need to modify users in ipa? > Do you need to be root? > When using the FreeIPA GUI, I’ve no problem creating and modifying users, > adding them to groups, etc. > However, in the GUI, the password-expiration field is readonly, which is why > I have attempted modifying its value on the CLI. > >> Le 7 févr. 2023 à 18:53, Rob Crittenden <[email protected]> a écrit : >> >> What user principal are you using? Do you have permissions to modify >> this other user's information? The error message says you don't. >> >> rob >> >> [email protected] wrote: >>> >>> Hi Rob, >>> >>> thanks for your feedback. >>> >>> Unfortunately, >>> >>> ipa user-mod user1 --setattr givenname=phili >>> ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the >>> 'givenName' attribute of entry 'uid=...'. >>> >>> >>>>> In general we strongly encourage you to upgrade to a supported release >>> >>> I wish I could. I'll report it to my manager. >>> >>> >>> >>> >>> ----- Mail original ----- >>> De: "Rob Crittenden" <[email protected]> >>> À: "FreeIPA users list" <[email protected]> >>> Cc: [email protected] >>> Envoyé: Mardi 7 Février 2023 17:51:20 >>> Objet: Re: [Freeipa-users] Re: password-expiration >>> >>> When using --setattr you have to use the LDAP attribute name. So in this >>> case givenname. >>> >>> 4.5.4 is getting along to 6 years old now. In general we strongly >>> encourage you to upgrade to a supported release, one release at a time >>> (there is no going from 4.5 to 4.10 directly). >>> >>> rob >>> >>> None via FreeIPA-users wrote: >>>> >>>> >>>> Hi Florence, >>>> >>>> I've tried the --setattr option with 'first', >>>> >>>> >>>> ipa user-mod user1 --setattr first=phil >>>> >>>> ... but to no avail >>>> >>>> ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the >>>> 'first' attribute of >>>> entry 'uid=...'. >>>> >>>> >>>> >>>> ----- Mail original ----- >>>> De: "Florence Blanc-Renaud via FreeIPA-users" >>>> <[email protected]> >>>> À: [email protected] >>>> Cc: [email protected], "Florence Blanc-Renaud" >>>> <[email protected]> >>>> Envoyé: Mardi 7 Février 2023 17:37:19 >>>> Objet: [Freeipa-users] Re: password-expiration >>>> >>>> >>>> >>>> >>>> >>>> Hi, >>>> >>>> >>>> >>>> On Tue, Feb 7, 2023 at 5:23 PM < [email protected] > wrote: >>>> >>>> >>>> Hi Florence, >>>> alas, same issue >>>> >>>> ipa: error: no such option: --password-expiration >>>> >>>> >>>> >>>> Ok, the functionality was added in 4.6.0 (see Release notes ) so you need >>>> to use directly ipa user-mod LOGIN --setattr krbpasswordexpiration =VALUE >>>> flo >>>> >>>> >>>> >>>> >>>> >>>> >>>> ----- Mail original ----- >>>> De: "Florence Blanc-Renaud" < [email protected] > >>>> À: [email protected] >>>> Cc: [email protected] >>>> Envoyé: Mardi 7 Février 2023 17:12:32 >>>> Objet: Re: [Freeipa-users] password-expiration >>>> >>>> >>>> >>>> >>>> Hi, >>>> >>>> >>>> >>>> On Tue, Feb 7, 2023 at 4:49 PM < [email protected] > wrote: >>>> >>>> >>>> Hi Florence, >>>> unfortunately, >>>> >>>> ipa user-mod user1 --krbpasswordexpiration='2024-06-28 07:49:37Z' >>>> Usage: ipa [global-options] user-mod LOGIN [options] >>>> >>>> ipa: error: no such option: --krbpasswordexpiration >>>> >>>> >>>> My bad, I copied the attribute name instead of the CLI option name. Can >>>> you try with >>>> ipa user-mod LOGIN --password-expiration =DATETIME >>>> >>>> >>>> Note: if you type ipa user-mod --help you can see all the available >>>> options. >>>> flo >>>> >>>> >>> >> > _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
