[Freeipa-users] Password change rights
Alexander Bokovoy
abokovoy at redhat.com
Fri Sep 2 15:55:08 UTC 2016
On Fri, 02 Sep 2016, Rob Crittenden wrote:
>Alexander Bokovoy wrote:
>>On Fri, 02 Sep 2016, Mike Driscoll wrote:
>>>Hello. I want to script the new user creation process. I read in
>>>section 9.4 that "any user who has password change rights can change a
>>>password and no password policies are applied, but the other user must
>>>reset the password at the next login.” I want to create an account
>>>with this limited capability for inclusion in a script. But I can’t
>>>figure out how to configure an account to have this capability without
>>>being a full admin. How can I create new user accounts and set initial
>>>passwords in a script?
>>You need to create a permission that allows to write to password
>>attributes. Then create a privilege and role that utilize this
>>permission.
>>
>>Then you would assign the user that is capable to reset passwords to
>>that role and it should be enough.
>>
>>I recently wrote an article how to create new permissions:
>>https://vda.li/en/posts/2016/08/30/Creating-permissions-in-FreeIPA/
>>
>>You only need to look at selfservice 'Self can write own
>>password' and create a normal permission with similar effective
>>attributes:
>># ipa selfservice-show 'Self can write own password'
>> Self-service name: Self can write own password
>> Permissions: write
>> Attributes: userpassword, krbprincipalkey, sambalmpassword,
>>sambantpassword
>>
>>Note the difference between selfservice and permission -- the former is
>>always executed against SELFDN of a bind identity, e.g. those who
>>authenticate, the latter can take care of both the target and the bind
>>identity.
>
>There already is such a permission, "System: Change User password"
Thank you, Rob. My bad: we have so many permissions now that default
size limit kicks in and I don't see it:
# ipa permission-find --sizelimit=0 |grep -i 'permission name:'|wc -l
237
# ipa permission-find --sizelimit=0 |grep -i 'permission name:'|grep -i 'change user password'
Permission name: System: Change User password
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list