[Freeipa-users] Re: password reset privileges

2017-08-10 Thread Rob Crittenden via FreeIPA-users
Tiemen Ruiten wrote:
> Hello,
> 
> Sorry for the late reply. This is the latest FreeIPA version in CentOS
> 7.3 (4.4.0-14). 
> 
> Indeed the helpdesk role should be sufficient. I tried with the User
> Administrator role as well, but that made no difference. Since it's
> working for you, it's likely a config error, but I have no idea where to
> look at this point. Do you have any pointers?

I'd start with something simple:

$ ipa user-show --all --raw 

This will show all memberships, included those nested in roles. Ensure
that the "Change user password" is included.

Debugging ACIs at a lower level isn't fun but it's possible.

rob

> 
> On 4 August 2017 at 19:19, Rob Crittenden  > wrote:
> 
> Tiemen Ruiten via FreeIPA-users wrote:
> > As I mentioned in my first mail, that doesn't work. For testing, I
> > created a new role that contains the following privileges:
> >
> > Group Administrators
> > Modify Group membership
> > Modify Users and Reset passwords
> > User Administrators
> >
> > Unfortunately, I get the same error.
> 
> What version of IPA is this? The helpdesk role should be sufficient (and
> works for me).
> 
> rob
> 
> >
> > On 4 August 2017 at 17:40, Bob Rentschler  
> > >> 
> wrote:
> >
> > Assigning roles to your userwill fix that issue. The existing "User
> > Administrator" role may fit your needs, but I am unsure how 
> restrictive
> > you want to be with permissions.
> >
> >
> > If you want to be more restrictive a custom role with "System:
> > Change User password" permissions would seem to be the right way.
> >
> > Make a privilege that contains only that permission (and and other
> > missing permissions down the road) add it to a new role and then
> > assign that role to your user.
> >
> >
> > Bob
> >
> > On Fri, Aug 4, 2017 at 10:12 AM, Tiemen Ruiten via FreeIPA-users
> >  
> >  >> wrote:
> >
> > Hello,
> >
> > I setup an LDAP User Federation in Keycloak to our FreeIPA
> > domain. Unfortunately, the password reset functionality appears
> > to only work when the user Keycloak binds as is in the admins
> > group. I tried both the User Administrator and helpdesk roles,
> > but always got this error:
> >
> > Caused by: javax.naming.NoPermissionException: [LDAP: error code
> > 50 - Insufficient 'write' privilege to the 'userPassword'
> > attribute of entry
> > 'uid=x,cn=users,cn=accounts,dc=example,dc=com'
> >
> > Is there a way to allow password resets without adding the
> > keycloak bind user to the admins group?
> >
> >
> > --
> > Tiemen Ruiten
> > Systems Engineer
> > R&D Media
> >
> > ___
> > FreeIPA-users mailing list --
> > freeipa-users@lists.fedorahosted.org
> 
> >  >
> > To unsubscribe send an email to
> > freeipa-users-le...@lists.fedorahosted.org
> 
> >  >
> >
> >
> >
> >
> >
> > --
> > Tiemen Ruiten
> > Systems Engineer
> > R&D Media
> >
> >
> > ___
> > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> 
> > To unsubscribe send an email to
> freeipa-users-le...@lists.fedorahosted.org
> 
> >
> 
> 
> 
> 
> -- 
> Tiemen Ruiten
> Systems Engineer
> R&D Media
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


[Freeipa-users] Re: password reset privileges

2017-08-09 Thread Tiemen Ruiten via FreeIPA-users
Hello,

Sorry for the late reply. This is the latest FreeIPA version in CentOS 7.3
(4.4.0-14).

Indeed the helpdesk role should be sufficient. I tried with the User
Administrator role as well, but that made no difference. Since it's working
for you, it's likely a config error, but I have no idea where to look at
this point. Do you have any pointers?

On 4 August 2017 at 19:19, Rob Crittenden  wrote:

> Tiemen Ruiten via FreeIPA-users wrote:
> > As I mentioned in my first mail, that doesn't work. For testing, I
> > created a new role that contains the following privileges:
> >
> > Group Administrators
> > Modify Group membership
> > Modify Users and Reset passwords
> > User Administrators
> >
> > Unfortunately, I get the same error.
>
> What version of IPA is this? The helpdesk role should be sufficient (and
> works for me).
>
> rob
>
> >
> > On 4 August 2017 at 17:40, Bob Rentschler  > > wrote:
> >
> > Assigning roles to your userwill fix that issue. The existing "User
> > Administrator" role may fit your needs, but I am unsure how
> restrictive
> > you want to be with permissions.
> >
> >
> > If you want to be more restrictive a custom role with "System:
> > Change User password" permissions would seem to be the right way.
> >
> > Make a privilege that contains only that permission (and and other
> > missing permissions down the road) add it to a new role and then
> > assign that role to your user.
> >
> >
> > Bob
> >
> > On Fri, Aug 4, 2017 at 10:12 AM, Tiemen Ruiten via FreeIPA-users
> >  > > wrote:
> >
> > Hello,
> >
> > I setup an LDAP User Federation in Keycloak to our FreeIPA
> > domain. Unfortunately, the password reset functionality appears
> > to only work when the user Keycloak binds as is in the admins
> > group. I tried both the User Administrator and helpdesk roles,
> > but always got this error:
> >
> > Caused by: javax.naming.NoPermissionException: [LDAP: error code
> > 50 - Insufficient 'write' privilege to the 'userPassword'
> > attribute of entry
> > 'uid=x,cn=users,cn=accounts,dc=example,dc=com'
> >
> > Is there a way to allow password resets without adding the
> > keycloak bind user to the admins group?
> >
> >
> > --
> > Tiemen Ruiten
> > Systems Engineer
> > R&D Media
> >
> > ___
> > FreeIPA-users mailing list --
> > freeipa-users@lists.fedorahosted.org
> > 
> > To unsubscribe send an email to
> > freeipa-users-le...@lists.fedorahosted.org
> > 
> >
> >
> >
> >
> >
> > --
> > Tiemen Ruiten
> > Systems Engineer
> > R&D Media
> >
> >
> > ___
> > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> > To unsubscribe send an email to freeipa-users-leave@lists.
> fedorahosted.org
> >
>
>


-- 
Tiemen Ruiten
Systems Engineer
R&D Media
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


[Freeipa-users] Re: password reset privileges

2017-08-04 Thread Rob Crittenden via FreeIPA-users
Tiemen Ruiten via FreeIPA-users wrote:
> As I mentioned in my first mail, that doesn't work. For testing, I
> created a new role that contains the following privileges:
> 
> Group Administrators
> Modify Group membership
> Modify Users and Reset passwords
> User Administrators
> 
> Unfortunately, I get the same error.

What version of IPA is this? The helpdesk role should be sufficient (and
works for me).

rob

> 
> On 4 August 2017 at 17:40, Bob Rentschler  > wrote:
> 
> Assigning roles to your userwill fix that issue. The existing "User
> Administrator" role may fit your needs, but I am unsure how restrictive 
> you want to be with permissions.
> 
> 
> If you want to be more restrictive a custom role with "System:
> Change User password" permissions would seem to be the right way.
> 
> Make a privilege that contains only that permission (and and other
> missing permissions down the road) add it to a new role and then 
> assign that role to your user. 
> 
> 
> Bob
> 
> On Fri, Aug 4, 2017 at 10:12 AM, Tiemen Ruiten via FreeIPA-users
>  > wrote:
> 
> Hello,
> 
> I setup an LDAP User Federation in Keycloak to our FreeIPA
> domain. Unfortunately, the password reset functionality appears
> to only work when the user Keycloak binds as is in the admins
> group. I tried both the User Administrator and helpdesk roles,
> but always got this error:
> 
> Caused by: javax.naming.NoPermissionException: [LDAP: error code
> 50 - Insufficient 'write' privilege to the 'userPassword'
> attribute of entry
> 'uid=x,cn=users,cn=accounts,dc=example,dc=com'
> 
> Is there a way to allow password resets without adding the
> keycloak bind user to the admins group?
> 
> 
> -- 
> Tiemen Ruiten
> Systems Engineer
> R&D Media
> 
> ___
> FreeIPA-users mailing list --
> freeipa-users@lists.fedorahosted.org
> 
> To unsubscribe send an email to
> freeipa-users-le...@lists.fedorahosted.org
> 
> 
> 
> 
> 
> 
> -- 
> Tiemen Ruiten
> Systems Engineer
> R&D Media
> 
> 
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> 
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


[Freeipa-users] Re: password reset privileges

2017-08-04 Thread Tiemen Ruiten via FreeIPA-users
As I mentioned in my first mail, that doesn't work. For testing, I created
a new role that contains the following privileges:

Group Administrators
Modify Group membership
Modify Users and Reset passwords
User Administrators

Unfortunately, I get the same error.

On 4 August 2017 at 17:40, Bob Rentschler  wrote:

> Assigning roles to your userwill fix that issue. The existing "User
> Administrator" role may fit your needs, but I am unsure how restrictive
> you want to be with permissions.
>
>
> If you want to be more restrictive a custom role with "System: Change User
> password" permissions would seem to be the right way.
>
> Make a privilege that contains only that permission (and and other missing
> permissions down the road) add it to a new role and then
> assign that role to your user.
>
>
> Bob
>
> On Fri, Aug 4, 2017 at 10:12 AM, Tiemen Ruiten via FreeIPA-users <
> freeipa-users@lists.fedorahosted.org> wrote:
>
>> Hello,
>>
>> I setup an LDAP User Federation in Keycloak to our FreeIPA domain.
>> Unfortunately, the password reset functionality appears to only work when
>> the user Keycloak binds as is in the admins group. I tried both the User
>> Administrator and helpdesk roles, but always got this error:
>>
>> Caused by: javax.naming.NoPermissionException: [LDAP: error code 50 -
>> Insufficient 'write' privilege to the 'userPassword' attribute of entry
>> 'uid=x,cn=users,cn=accounts,dc=example,dc=com'
>>
>> Is there a way to allow password resets without adding the keycloak bind
>> user to the admins group?
>>
>>
>> --
>> Tiemen Ruiten
>> Systems Engineer
>> R&D Media
>>
>> ___
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> To unsubscribe send an email to freeipa-users-le...@lists.fedo
>> rahosted.org
>>
>>
>


-- 
Tiemen Ruiten
Systems Engineer
R&D Media
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


[Freeipa-users] Re: password reset privileges

2017-08-04 Thread Bob Rentschler via FreeIPA-users
Assigning roles to your userwill fix that issue. The existing "User
Administrator" role may fit your needs, but I am unsure how restrictive
you want to be with permissions.


If you want to be more restrictive a custom role with "System: Change User
password" permissions would seem to be the right way.

Make a privilege that contains only that permission (and and other missing
permissions down the road) add it to a new role and then
assign that role to your user.


Bob

On Fri, Aug 4, 2017 at 10:12 AM, Tiemen Ruiten via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

> Hello,
>
> I setup an LDAP User Federation in Keycloak to our FreeIPA domain.
> Unfortunately, the password reset functionality appears to only work when
> the user Keycloak binds as is in the admins group. I tried both the User
> Administrator and helpdesk roles, but always got this error:
>
> Caused by: javax.naming.NoPermissionException: [LDAP: error code 50 -
> Insufficient 'write' privilege to the 'userPassword' attribute of entry
> 'uid=x,cn=users,cn=accounts,dc=example,dc=com'
>
> Is there a way to allow password resets without adding the keycloak bind
> user to the admins group?
>
>
> --
> Tiemen Ruiten
> Systems Engineer
> R&D Media
>
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org