Karl Forner wrote: > I forgot to say that I did a "kinit admin" before the ipa user-mod. > > On Tue, Feb 23, 2016 at 2:31 PM, Karl Forner <karl.for...@gmail.com > <mailto:karl.for...@gmail.com>> wrote: > > Hello, > > I tried to postpone a password expiration date, as indicated here: > > https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/pwd-expiration.html > > % ipa user-mod myuser --setattr=krbpasswordexpiration=20170301121443Z > > ipa: ERROR: Insufficient access: Insufficient 'write' privilege to > the 'krbPasswordExpiration' attribute of entry > 'uid=myuser,cn=users,cn=accounts,dc=quartzbio,dc=com'. > > Is this expected ? What is the canonical way of doing this ?
The docs you are referring to are quite old: 5 full Fedora releases, several IPA releases. To fix you'd need to add a new ACI that grants write access to this attribute in the user container. You can either do this via the permission/privilege/role route and add the admins gropu to the new role, or you can directly add an ACI (more direct but also less supportable and error-prone). rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project