I want a role the user snapmgr belongs to that can add, delete snapon group 
member users and reset/change their passwords and unlock their accounts

When I login as snapmgr and attempt to reset the password of user snaptestuser1 
(member of snapon group), it fails with "Insufficient access: Insufficient 
access rights". 

What did I miss?  What are the minimum permission effective attribs are needed 
to be checked?

OK, so I created:

1)  A user snapmgr to the be group manager, able to reset passwords of snapon 
users (members of the snapon group)
2)  A role named snapon-manage, and assigned user snapmgr as the member user
3)  A privilege named snapon_management_privileges
4)  A permission named snap_user_passwd, assigned to the 
snapon_management_privileges privilege, which is assigned to the snapon-manage 

        Bind rule type:  x  permission
        Granted rights:
                x  read
                x   write
                x   add
                x   delete
                x   all
        Type:  user
        Tagret DN:  blank

        Member of group:  snapon

        Effective attributes:
                x description
                x ipasshpubkey 
                x homedirectory
                x userpassword
                x krbprincipalname
                x krblastadminunlock

Larry Rosen - Linux System Administrator
JDR Solutions, Inc
8606 Allisonville Road, Suite 245
Indianapolis, IN 46250

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to