Ronald Wimmer wrote:
> On 12.02.25 19:15, Rob Crittenden wrote:
>> More specifics would help. How did it not work as expected? What is the
>> full ACI you came up with?
>>
>> The idea is that this is granted to all authenticated users EXCEPT those
>> in the, in your case, iam-managed-users and admins groups.
>>
> We did not user RBAC much up to now. So it is very likely that I did not
> fully grasp the whole concept yet.
> 
> What I did was adding users to a group called
> cn=iam-managed-users,cn=groups,cn=accounts,dc=linux,dc=mydomain,dc=at
> and modifying the target filter to
> (&(!(memberOf=cn=iam-managed-users,cn=groups,cn=accounts,dc=linux,dc=mydomain,dc=at))(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=linux,dc=mydomain,dc=at))).
> 
> 
> Nothing else. Because I thought the "System: Change User" permission
> applies to all IPA users by default. This assumption might probably be
> wrong...
> 
> 

It is controlled by 'Self can write own password'

$ ipa selfservice-show 'Self can write own password'
  Self-service name: Self can write own password
  Permissions: write
  Attributes: userpassword, krbprincipalkey, sambalmpassword,
sambantpassword

aci: (targetattr = "userpassword || krbprincipalkey || sambalmpassword
|| sambantpassword")(version 3.0; acl "selfservice:Self can write own
password"; allow (write) userdn="ldap:///self";;)

rob

-- 
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to