Ronald Wimmer wrote: > On 12.02.25 19:15, Rob Crittenden wrote: >> More specifics would help. How did it not work as expected? What is the >> full ACI you came up with? >> >> The idea is that this is granted to all authenticated users EXCEPT those >> in the, in your case, iam-managed-users and admins groups. >> > We did not user RBAC much up to now. So it is very likely that I did not > fully grasp the whole concept yet. > > What I did was adding users to a group called > cn=iam-managed-users,cn=groups,cn=accounts,dc=linux,dc=mydomain,dc=at > and modifying the target filter to > (&(!(memberOf=cn=iam-managed-users,cn=groups,cn=accounts,dc=linux,dc=mydomain,dc=at))(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=linux,dc=mydomain,dc=at))). > > > Nothing else. Because I thought the "System: Change User" permission > applies to all IPA users by default. This assumption might probably be > wrong... > >
It is controlled by 'Self can write own password' $ ipa selfservice-show 'Self can write own password' Self-service name: Self can write own password Permissions: write Attributes: userpassword, krbprincipalkey, sambalmpassword, sambantpassword aci: (targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";) rob -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue