[Freeipa-users] Re: Permission / privilege to unlock accounts

Thu, 25 Jan 2024 10:50:34 -0800 

Russell Long via FreeIPA-users wrote:
> I'm trying to create a set of limited users who have the ability to
> unlock all other user accounts and change their passwords.  I've got the
> password portion figured out, however when a user with the limited
> permissions tries to run the `unlock` operation they get the following
> message:
> 
> Insufficient access: Insufficient 'write' privilege to
> the 'krbLoginFailedCount' attribute of entry...
> 
> 
> I have attempted to create a permission granting this access, but it
> does not appear to work.
> 
> I'll attach an image of the existing permission, not sure how the list
> will handle the image. 

What isn't clear is whether you added the permission to a privilege and
a role.

This sequence worked for me.

Create a user with limited rights and reset the p/w
# echo password | ipa user-add --first limited --last user limited
--password
# ipa passwd limited
# kinit limited

Add a new permission to unlock users
# kinit admin
# ipa permission-add unlock --type user --right write --right read
{krbloginfailedcount,krblastadminunlock}
# ipa privilege-add unlock
# ipa privilege-add-permission --permission unlock unlock
# ipa role-add unlock
# ipa role-add-privilege --privilege=unlock unlock
# ipa role-add-member --users limited unlock

Create a user which we'll lock and reset the p/w
# echo password | ipa user-add lockme --first tim --last user --password
# kinit lockme

kinit with the wrong password until the account is locked
# ipa user-unlock lockme

Test the now unlocked user
# kinit lockme

Profit!

Note that the rights add and delete are entry-level rights. They don't
apply to individual attributes.

rob
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to