Thank you for the quick reply and a solution. I will try it in the next couple of days.
Regards, Gašper On Tue, Dec 1, 2015 at 2:51 PM, Martin Kosek <[email protected]> wrote: > On 12/01/2015 02:41 PM, Simo Sorce wrote: > > On Tue, 2015-12-01 at 12:57 +0100, Martin Kosek wrote: > >> On 11/30/2015 02:25 PM, Gašper Bregar wrote: > >>> I have been strugling with FreeIPA and AD password sync for a couple of > >>> days now. At first everything was working fine, but then all of a > sudden > >>> the synchronization started to fail for me and another user. > >>> > >>> The error in passsync log was > >>> > >>> Ldap error in ModifyPassword > >>>> 50: Insufficient access > >>> > >>> > >>> It took me some time to figure out that it was failing just for the > two us. > >>> It was failing because we were in the admin user group in FreeIPA. Is > this > >>> intentional? Is it possible to somehow change this behaviour with a > >>> setting? > >>> > >>> Regards, > >>> Gašper > >> > >> Hello Gašper, > >> > >> I assume you are running with FreeIPA version 4.0 and above. At the > moment, > >> this is expected behavior, based on the permission configuration: > >> > >> 'System: Change User password': { > >> 'ipapermright': {'write'}, > >> 'ipapermtargetfilter': [ > >> '(objectclass=posixaccount)', > >> '(!(memberOf=%s))' % DN('cn=admins', > >> api.env.container_group, > >> api.env.basedn), > >> ], > >> 'ipapermdefaultattr': { > >> 'krbprincipalkey', 'passwordhistory', 'sambalmpassword', > >> 'sambantpassword', 'userpassword' > >> }, > >> ... > >> 'default_privileges': { > >> 'User Administrators', > >> 'Modify Users and Reset passwords', > >> 'PassSync Service', > >> }, > >> }, > >> > >> > >> "PassSync Service" cannot indeed change passwords of admins group. I am > >> wondering if we want to change the default, which was added so that > lower-level > >> administrators cannot change password of top level admins and > impersonate them > >> for example. Simo, any opinion? > > > > We do not want to change the default behavior. > > > > Simo. > > Ok. I requested a Doc update: > https://bugzilla.redhat.com/show_bug.cgi?id=1287092 > > Please feel free to comment in Bugzilla. > > Martin >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
