[Freeipa-users] Password change rights
Rob Crittenden
rcritten at redhat.com
Fri Sep 2 15:17:49 UTC 2016
Alexander Bokovoy wrote:
> On Fri, 02 Sep 2016, Mike Driscoll wrote:
>> Hello. I want to script the new user creation process. I read in
>> section 9.4 that "any user who has password change rights can change a
>> password and no password policies are applied, but the other user must
>> reset the password at the next login.” I want to create an account
>> with this limited capability for inclusion in a script. But I can’t
>> figure out how to configure an account to have this capability without
>> being a full admin. How can I create new user accounts and set initial
>> passwords in a script?
> You need to create a permission that allows to write to password
> attributes. Then create a privilege and role that utilize this
> permission.
>
> Then you would assign the user that is capable to reset passwords to
> that role and it should be enough.
>
> I recently wrote an article how to create new permissions:
> https://vda.li/en/posts/2016/08/30/Creating-permissions-in-FreeIPA/
>
> You only need to look at selfservice 'Self can write own
> password' and create a normal permission with similar effective
> attributes:
> # ipa selfservice-show 'Self can write own password'
> Self-service name: Self can write own password
> Permissions: write
> Attributes: userpassword, krbprincipalkey, sambalmpassword,
> sambantpassword
>
> Note the difference between selfservice and permission -- the former is
> always executed against SELFDN of a bind identity, e.g. those who
> authenticate, the latter can take care of both the target and the bind
> identity.
There already is such a permission, "System: Change User password"
rob
More information about the Freeipa-users
mailing list