On Fri, 02 Sep 2016, Rob Crittenden wrote:
Alexander Bokovoy wrote:
On Fri, 02 Sep 2016, Mike Driscoll wrote:
Hello. I want to script the new user creation process. I read in
section 9.4 that "any user who has password change rights can change a
password and no password policies are applied, but the other user must
reset the password at the next login.” I want to create an account
with this limited capability for inclusion in a script. But I can’t
figure out how to configure an account to have this capability without
being a full admin. How can I create new user accounts and set initial
passwords in a script?
You need to create a permission that allows to write to password
attributes. Then create a privilege and role that utilize this
Then you would assign the user that is capable to reset passwords to
that role and it should be enough.
I recently wrote an article how to create new permissions:
You only need to look at selfservice 'Self can write own
password' and create a normal permission with similar effective
# ipa selfservice-show 'Self can write own password'
Self-service name: Self can write own password
Attributes: userpassword, krbprincipalkey, sambalmpassword,
Note the difference between selfservice and permission -- the former is
always executed against SELFDN of a bind identity, e.g. those who
authenticate, the latter can take care of both the target and the bind
There already is such a permission, "System: Change User password"
Thank you, Rob. My bad: we have so many permissions now that default
size limit kicks in and I don't see it:
# ipa permission-find --sizelimit=0 |grep -i 'permission name:'|wc -l
# ipa permission-find --sizelimit=0 |grep -i 'permission name:'|grep -i 'change
Permission name: System: Change User password
/ Alexander Bokovoy
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project