It relies on the Kerberos TGT you currently have. I assume you log into
the UI as admin but on the cli you have a ticket for yourself.

Use klist to find out

To become admin: kinit admin

rob

Philippe de Rochambeau wrote:
> Hi Rob,
> I’m not at work anymore.
> How do you find out which credentials you need to modify users in ipa?
> Do you need to be root?
> When using the FreeIPA GUI, I’ve no problem creating and modifying users, 
> adding them to groups, etc.
> However, in the GUI, the password-expiration field is readonly, which is why 
> I have attempted modifying its value on the CLI.
> 
>> Le 7 févr. 2023 à 18:53, Rob Crittenden <[email protected]> a écrit :
>>
>> What user principal are you using? Do you have permissions to modify
>> this other user's information? The error message says you don't.
>>
>> rob
>>
>> [email protected] wrote:
>>>
>>> Hi Rob,
>>>
>>> thanks for your feedback.
>>>
>>> Unfortunately,
>>>
>>> ipa user-mod user1 --setattr givenname=phili
>>> ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 
>>> 'givenName' attribute of entry 'uid=...'.
>>>
>>>
>>>>> In general we strongly encourage you to upgrade to a supported release
>>>
>>> I wish I could. I'll report it to my manager.
>>>
>>>
>>>
>>>
>>> ----- Mail original -----
>>> De: "Rob Crittenden" <[email protected]>
>>> À: "FreeIPA users list" <[email protected]>
>>> Cc: [email protected]
>>> Envoyé: Mardi 7 Février 2023 17:51:20
>>> Objet: Re: [Freeipa-users] Re: password-expiration
>>>
>>> When using --setattr you have to use the LDAP attribute name. So in this
>>> case givenname.
>>>
>>> 4.5.4 is getting along to 6 years old now. In general we strongly
>>> encourage you to upgrade to a supported release, one release at a time
>>> (there is no going from 4.5 to 4.10 directly).
>>>
>>> rob
>>>
>>> None via FreeIPA-users wrote:
>>>>
>>>>
>>>> Hi Florence,
>>>>
>>>> I've tried the --setattr option with 'first', 
>>>>
>>>>
>>>> ipa user-mod user1 --setattr first=phil
>>>>
>>>> ... but to no avail 
>>>>
>>>> ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 
>>>> 'first' attribute of 
>>>> entry 'uid=...'.
>>>>
>>>>
>>>>
>>>> ----- Mail original -----
>>>> De: "Florence Blanc-Renaud via FreeIPA-users" 
>>>> <[email protected]>
>>>> À: [email protected]
>>>> Cc: [email protected], "Florence Blanc-Renaud" 
>>>> <[email protected]>
>>>> Envoyé: Mardi 7 Février 2023 17:37:19
>>>> Objet: [Freeipa-users] Re: password-expiration
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> Hi, 
>>>>
>>>>
>>>>
>>>> On Tue, Feb 7, 2023 at 5:23 PM < [email protected] > wrote: 
>>>>
>>>>
>>>> Hi Florence, 
>>>> alas, same issue 
>>>>
>>>> ipa: error: no such option: --password-expiration 
>>>>
>>>>
>>>>
>>>> Ok, the functionality was added in 4.6.0 (see Release notes ) so you need 
>>>> to use directly ipa user-mod LOGIN --setattr krbpasswordexpiration =VALUE 
>>>> flo 
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> ----- Mail original ----- 
>>>> De: "Florence Blanc-Renaud" < [email protected] > 
>>>> À: [email protected] 
>>>> Cc: [email protected] 
>>>> Envoyé: Mardi 7 Février 2023 17:12:32 
>>>> Objet: Re: [Freeipa-users] password-expiration 
>>>>
>>>>
>>>>
>>>>
>>>> Hi, 
>>>>
>>>>
>>>>
>>>> On Tue, Feb 7, 2023 at 4:49 PM < [email protected] > wrote: 
>>>>
>>>>
>>>> Hi Florence, 
>>>> unfortunately, 
>>>>
>>>> ipa user-mod user1 --krbpasswordexpiration='2024-06-28 07:49:37Z' 
>>>> Usage: ipa [global-options] user-mod LOGIN [options] 
>>>>
>>>> ipa: error: no such option: --krbpasswordexpiration 
>>>>
>>>>
>>>> My bad, I copied the attribute name instead of the CLI option name. Can 
>>>> you try with 
>>>> ipa user-mod LOGIN --password-expiration =DATETIME 
>>>>
>>>>
>>>> Note: if you type ipa user-mod --help you can see all the available 
>>>> options. 
>>>> flo 
>>>>
>>>>
>>>
>>
> 
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to