On Tue, 2015-12-01 at 12:57 +0100, Martin Kosek wrote: > On 11/30/2015 02:25 PM, Gašper Bregar wrote: > > I have been strugling with FreeIPA and AD password sync for a couple of > > days now. At first everything was working fine, but then all of a sudden > > the synchronization started to fail for me and another user. > > > > The error in passsync log was > > > > Ldap error in ModifyPassword > >> 50: Insufficient access > > > > > > It took me some time to figure out that it was failing just for the two us. > > It was failing because we were in the admin user group in FreeIPA. Is this > > intentional? Is it possible to somehow change this behaviour with a > > setting? > > > > Regards, > > Gašper > > Hello Gašper, > > I assume you are running with FreeIPA version 4.0 and above. At the moment, > this is expected behavior, based on the permission configuration: > > 'System: Change User password': { > 'ipapermright': {'write'}, > 'ipapermtargetfilter': [ > '(objectclass=posixaccount)', > '(!(memberOf=%s))' % DN('cn=admins', > api.env.container_group, > api.env.basedn), > ], > 'ipapermdefaultattr': { > 'krbprincipalkey', 'passwordhistory', 'sambalmpassword', > 'sambantpassword', 'userpassword' > }, > ... > 'default_privileges': { > 'User Administrators', > 'Modify Users and Reset passwords', > 'PassSync Service', > }, > }, > > > "PassSync Service" cannot indeed change passwords of admins group. I am > wondering if we want to change the default, which was added so that > lower-level > administrators cannot change password of top level admins and impersonate them > for example. Simo, any opinion?
We do not want to change the default behavior. Simo. > If you want to allow that, you could also add a new permission to allow > changing admins group password and assign it to "PassSync Service" privilege. > > Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project