On Tue, 2015-12-01 at 12:57 +0100, Martin Kosek wrote:
> On 11/30/2015 02:25 PM, Gašper Bregar wrote:
> > I have been strugling with FreeIPA and AD password sync for a couple of
> > days now. At first everything was working fine, but then all of a sudden
> > the synchronization started to fail for me and another user.
> > 
> > The error in passsync log was
> > 
> > Ldap error in ModifyPassword
> >> 50: Insufficient access
> > 
> > 
> > It took me some time to figure out that it was failing just for the two us.
> > It was failing because we were in the admin user group in FreeIPA. Is this
> > intentional? Is it possible to somehow change this behaviour with a
> > setting?
> > 
> > Regards,
> > Gašper
> 
> Hello Gašper,
> 
> I assume you are running with FreeIPA version 4.0 and above. At the moment,
> this is expected behavior, based on the permission configuration:
> 
>         'System: Change User password': {
>             'ipapermright': {'write'},
>             'ipapermtargetfilter': [
>                 '(objectclass=posixaccount)',
>                 '(!(memberOf=%s))' % DN('cn=admins',
>                                         api.env.container_group,
>                                         api.env.basedn),
>             ],
>             'ipapermdefaultattr': {
>                 'krbprincipalkey', 'passwordhistory', 'sambalmpassword',
>                 'sambantpassword', 'userpassword'
>             },
> ...
>             'default_privileges': {
>                 'User Administrators',
>                 'Modify Users and Reset passwords',
>                 'PassSync Service',
>             },
>         },
> 
> 
> "PassSync Service" cannot indeed change passwords of admins group. I am
> wondering if we want to change the default, which was added so that 
> lower-level
> administrators cannot change password of top level admins and impersonate them
> for example. Simo, any opinion?

We do not want to change the default behavior.

Simo.

> If you want to allow that, you could also add a new permission to allow
> changing admins group password and assign it to "PassSync Service" privilege.
> 
> Martin



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to