<html><body><div style="color:#000; background-color:#fff; font-family:times new roman, new york, times, serif;font-size:12pt">Hi Simo, That works perfectly. Thanks a lot. --David <div> </div><div> </div> <div style="font-family: times new roman, new york, times, serif; font-size: 12pt;"> <div style="font-family: times new roman, new york, times, serif; font-size: 12pt;"> <div dir="ltr"> <hr size="1"> From: Simo Sorce <simo@redhat.com> To: David Copperfield <cao2dan@yahoo.com> Cc: "freeipa-users@redhat.com" <freeipa-users@redhat.com> Sent: Friday, December 28, 2012 5:51 AM Subject: Re: [Freeipa-users] delegation questions: how to reset password for subordinate? </div> On Wed, 2012-12-26 at 15:57 -0800, David Copperfield wrote: > Hi all, > > > What are the user attributes that A manager should be granted with > read&write permissions to reset passwords for subordinate employees? > The typical implementation case: managers need to take care of > password reset requests for their subordinate employees. > > > I select 'userpassword' field the first time but it fails, then > combine it with other a few krb* fields but those don't help neither. > > > If you have the minimum field combinations to make the 'password > changing' delegation work, please feel free to post your results here. > Presently I just select ALL fields with read&right permissions to make > it work, but that definitely is a over kill and hurts privacy > potentially. You need write access to at least userPassword and krbPrincipalKey. Simo. P.S. David, please do not start a new thread by replying to old mails. -- Simo Sorce * Red Hat, Inc * New York </div> </div> </div></body></html>