[Freeipa-users] Creating roles tutorial/how-to
Larry Rosen
larry.rosen at JDRSolutions.com
Fri Jul 8 16:29:34 UTC 2016
I want a role the user snapmgr belongs to that can add, delete snapon group member users and reset/change their passwords and unlock their accounts
When I login as snapmgr and attempt to reset the password of user snaptestuser1 (member of snapon group), it fails with "Insufficient access: Insufficient access rights".
What did I miss? What are the minimum permission effective attribs are needed to be checked?
OK, so I created:
1) A user snapmgr to the be group manager, able to reset passwords of snapon users (members of the snapon group)
2) A role named snapon-manage, and assigned user snapmgr as the member user
3) A privilege named snapon_management_privileges
4) A permission named snap_user_passwd, assigned to the snapon_management_privileges privilege, which is assigned to the snapon-manage role
PERMISSION SETTINGS:
Bind rule type: x permission
Granted rights:
x read
x write
x add
x delete
x all
TARGET:
Type: user
Tagret DN: blank
Member of group: snapon
Effective attributes:
x description
x ipasshpubkey
x homedirectory
x userpassword
x krbprincipalname
x krblastadminunlock
Larry Rosen - Linux System Administrator
JDR Solutions, Inc
8606 Allisonville Road, Suite 245
Indianapolis, IN 46250
www.jdrsolutions.com
More information about the Freeipa-users
mailing list