Re: [Freeipa-users] Password change rights

Fri, 02 Sep 2016 08:59:35 -0700 

On Fri, 02 Sep 2016, Rob Crittenden wrote:

Alexander Bokovoy wrote:

On Fri, 02 Sep 2016, Mike Driscoll wrote:

Hello.  I want to script the new user creation process.  I read in
section 9.4 that "any user who has password change rights can change a
password and no password policies are applied, but the other user must
reset the password at the next login.”  I want to create an account
with this limited capability for inclusion in a script.  But I can’t
figure out how to configure an account to have this capability without
being a full admin.  How can I create new user accounts and set initial
passwords in a script?

You need to create a permission that allows to write to password
attributes. Then create a privilege and role that utilize this
permission.

Then you would assign the user that is capable to reset passwords to
that role and it should be enough.

I recently wrote an article how to create new permissions:
https://vda.li/en/posts/2016/08/30/Creating-permissions-in-FreeIPA/

You only need to look at selfservice 'Self can write own
password' and create a normal permission with similar effective
attributes:
# ipa selfservice-show 'Self can write own password'
 Self-service name: Self can write own password
 Permissions: write
 Attributes: userpassword, krbprincipalkey, sambalmpassword,
sambantpassword

Note the difference between selfservice and permission -- the former is
always executed against SELFDN of a bind identity, e.g. those who
authenticate, the latter can take care of both the target and the bind
identity.


There already is such a permission, "System: Change User password"

Thank you, Rob. My bad: we have so many permissions now that default
size limit kicks in and I don't see it:
# ipa permission-find --sizelimit=0 |grep -i 'permission name:'|wc -l
237
# ipa permission-find --sizelimit=0 |grep -i 'permission name:'|grep -i 'change 
user password'
 Permission name: System: Change User password

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to