Karl Forner wrote:
> I forgot to say that I did a "kinit admin" before the  ipa user-mod.
> 
> On Tue, Feb 23, 2016 at 2:31 PM, Karl Forner <karl.for...@gmail.com
> <mailto:karl.for...@gmail.com>> wrote:
> 
>     Hello,
> 
>     I tried to postpone a password expiration date, as indicated here:
>     
> https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/pwd-expiration.html
> 
>     % ipa user-mod myuser --setattr=krbpasswordexpiration=20170301121443Z
> 
>     ipa: ERROR: Insufficient access: Insufficient 'write' privilege to
>     the 'krbPasswordExpiration' attribute of entry
>     'uid=myuser,cn=users,cn=accounts,dc=quartzbio,dc=com'.
> 
>     Is this expected ? What is the canonical way of doing this ?

The docs you are referring to are quite old: 5 full Fedora releases,
several IPA releases.

To fix you'd need to add a new ACI that grants write access to this
attribute in the user container.

You can either do this via the permission/privilege/role route and add
the admins gropu to the new role, or you can directly add an ACI (more
direct but also less supportable and error-prone).

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to