Karl Forner wrote:
> I forgot to say that I did a "kinit admin" before the  ipa user-mod.
> On Tue, Feb 23, 2016 at 2:31 PM, Karl Forner <karl.for...@gmail.com
> <mailto:karl.for...@gmail.com>> wrote:
>     Hello,
>     I tried to postpone a password expiration date, as indicated here:
> https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/pwd-expiration.html
>     % ipa user-mod myuser --setattr=krbpasswordexpiration=20170301121443Z
>     ipa: ERROR: Insufficient access: Insufficient 'write' privilege to
>     the 'krbPasswordExpiration' attribute of entry
>     'uid=myuser,cn=users,cn=accounts,dc=quartzbio,dc=com'.
>     Is this expected ? What is the canonical way of doing this ?

The docs you are referring to are quite old: 5 full Fedora releases,
several IPA releases.

To fix you'd need to add a new ACI that grants write access to this
attribute in the user container.

You can either do this via the permission/privilege/role route and add
the admins gropu to the new role, or you can directly add an ACI (more
direct but also less supportable and error-prone).


Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to