On 19.02.25 16:40, Rob Crittenden via FreeIPA-users wrote:
Ronald Wimmer via FreeIPA-users wrote:
On 19.02.25 15:54, Rob Crittenden via FreeIPA-users wrote:
Ronald Wimmer wrote:
On 19.02.25 13:48, Rob Crittenden via FreeIPA-users wrote:
Ronald Wimmer wrote:


On 13.02.25 17:42, Rob Crittenden wrote:
Ronald Wimmer wrote:
On 12.02.25 19:15, Rob Crittenden wrote:
More specifics would help. How did it not work as expected? What
is the
full ACI you came up with?

The idea is that this is granted to all authenticated users EXCEPT
those
in the, in your case, iam-managed-users and admins groups.

We did not user RBAC much up to now. So it is very likely that I
did not
fully grasp the whole concept yet.

What I did was adding users to a group called
cn=iam-managed-users,cn=groups,cn=accounts,dc=linux,dc=mydomain,dc=at

and modifying the target filter to
(&(!(memberOf=cn=iam-managed-users,cn=groups,cn=accounts,dc=linux,dc=mydomain,dc=at))(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=linux,dc=mydomain,dc=at))).





Nothing else. Because I thought the "System: Change User" permission
applies to all IPA users by default. This assumption might
probably be
wrong...



It is controlled by 'Self can write own password'

$ ipa selfservice-show 'Self can write own password'
      Self-service name: Self can write own password
      Permissions: write
      Attributes: userpassword, krbprincipalkey, sambalmpassword,
sambantpassword

aci: (targetattr = "userpassword || krbprincipalkey ||
sambalmpassword
|| sambantpassword")(version 3.0; acl "selfservice:Self can write own
password"; allow (write) userdn="ldap:///self";;)

     ipapermtargetfilter:
(&(!(memberOf=cn=iam-managed-users,cn=groups,cn=accounts,dc=ipatest,dc=mydomain,dc=at))(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=ipatest,dc=mydomain,dc=at)))



     ipapermissiontype: SYSTEM
     ipapermissiontype: V2
     ipapermissiontype: MANAGED
     aci: (targetattr = "krbpasswordexpiration || krbprincipalkey ||
passwordhistory || sambalmpassword || sambantpassword ||
userpassword")(targetfilter =
"(&(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=ipatest,dc=mydomain,dc=at))(objectclass=posixaccount))")(version


3.0;acl "permission:System: Change User password";allow (write)
groupdn
= "ldap:///cn=System: Change User
password,cn=permissions,cn=pbac,dc=ipatest,dc=mydomain,dc=at";)

Modifying the ipapermtargetfilter (manually in LDAP) did not
produce the
aci I was expecting. Do I have to modify it by IPA API means (eg.
CLI?)
or did I modify the wrong attribute?

This is the wrong permission. This handles who can change someone
else's
password. To manage who can change their own you have to modify 'Self
can write own password' via the selfservice plugin.

I see. But when I remove all the password relevant attributes as an
admin users are still able to change their passwords...


You're saying users that are also admins can change their own passwords?
admins are special so there may be additional ACIs involved.

No. My eypectation was that regular users cannot change their passwords
anymore after I removed the password attributes from the selfservice
permission you named above.

It is very difficult to help you if you don't show your work.

What does the selfservice entry look like?

How are you testing the password change?

Sorry. I try to be more specific. Initially I wanted to forbid password change for a certain user group. But now I just wanted to see it working in general. So... the IPA installation is completely unmodified in this regard.

What did I try?
Taking away all password-related attributes I found in the "Self can write own password" permission. I did this with the IPA admin user.

What did I expect?
That all non-admins cannot change their passwords anymore.

How did I try it?
Logged in with a non admin account on the IPA WebGUI and tried a password change. (which unfortunately worked)

--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to