Hi Simo,
That works perfectly. Thanks a lot.
--David
From: Simo Sorce s...@redhat.com
To: David Copperfield cao2...@yahoo.com
Cc: freeipa-users@redhat.com freeipa-users@redhat.com
Sent: Friday, December 28, 2012 5:51 AM
Subject: Re: [Freeipa-users] delegation questions: how to reset password for
subordinate?
On Wed, 2012-12-26 at 15:57 -0800, David Copperfield wrote:
Hi all,
What are the user attributes that A manager should be granted with
readwrite permissions to reset passwords for subordinate employees?
The typical implementation case: managers need to take care of
password reset requests for their subordinate employees.
I select 'userpassword' field the first time but it fails, then
combine it with other a few krb* fields but those don't help neither.
If you have the minimum field combinations to make the 'password
changing' delegation work, please feel free to post your results here.
Presently I just select ALL fields with readright permissions to make
it work, but that definitely is a over kill and hurts privacy
potentially.
You need write access to at least userPassword and krbPrincipalKey.
Simo.
P.S. David, please do not start a new thread by replying to old mails.
--
Simo Sorce * Red Hat, Inc * New York___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
