On 11/30/2015 02:25 PM, Gašper Bregar wrote:
> I have been strugling with FreeIPA and AD password sync for a couple of
> days now. At first everything was working fine, but then all of a sudden
> the synchronization started to fail for me and another user.
> The error in passsync log was
> Ldap error in ModifyPassword
>> 50: Insufficient access
> It took me some time to figure out that it was failing just for the two us.
> It was failing because we were in the admin user group in FreeIPA. Is this
> intentional? Is it possible to somehow change this behaviour with a
> setting?
> Regards,
> Gašper

Hello Gašper,

I assume you are running with FreeIPA version 4.0 and above. At the moment,
this is expected behavior, based on the permission configuration:

        'System: Change User password': {
            'ipapermright': {'write'},
            'ipapermtargetfilter': [
                '(!(memberOf=%s))' % DN('cn=admins',
            'ipapermdefaultattr': {
                'krbprincipalkey', 'passwordhistory', 'sambalmpassword',
                'sambantpassword', 'userpassword'
            'default_privileges': {
                'User Administrators',
                'Modify Users and Reset passwords',
                'PassSync Service',

"PassSync Service" cannot indeed change passwords of admins group. I am
wondering if we want to change the default, which was added so that lower-level
administrators cannot change password of top level admins and impersonate them
for example. Simo, any opinion?

If you want to allow that, you could also add a new permission to allow
changing admins group password and assign it to "PassSync Service" privilege.


Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to