On 20.02.25 02:38, Rob Crittenden wrote:
Ronald Wimmer wrote:
On 19.02.25 19:37, Rob Crittenden wrote:
Ronald Wimmer via FreeIPA-users wrote:
On 19.02.25 16:40, Rob Crittenden via FreeIPA-users wrote:
Ronald Wimmer via FreeIPA-users wrote:
On 19.02.25 15:54, Rob Crittenden via FreeIPA-users wrote:
Ronald Wimmer wrote:
On 19.02.25 13:48, Rob Crittenden via FreeIPA-users wrote:
Ronald Wimmer wrote:
On 13.02.25 17:42, Rob Crittenden wrote:
Ronald Wimmer wrote:
On 12.02.25 19:15, Rob Crittenden wrote:
More specifics would help. How did it not work as expected?
What
is the
full ACI you came up with?
The idea is that this is granted to all authenticated users
EXCEPT
those
in the, in your case, iam-managed-users and admins groups.
We did not user RBAC much up to now. So it is very likely that I
did not
fully grasp the whole concept yet.
What I did was adding users to a group called
cn=iam-managed-users,cn=groups,cn=accounts,dc=linux,dc=mydomain,dc=at
and modifying the target filter to
(&(!(memberOf=cn=iam-managed-users,cn=groups,cn=accounts,dc=linux,dc=mydomain,dc=at))(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=linux,dc=mydomain,dc=at))).
Nothing else. Because I thought the "System: Change User"
permission
applies to all IPA users by default. This assumption might
probably be
wrong...
It is controlled by 'Self can write own password'
$ ipa selfservice-show 'Self can write own password'
Self-service name: Self can write own password
Permissions: write
Attributes: userpassword, krbprincipalkey,
sambalmpassword,
sambantpassword
aci: (targetattr = "userpassword || krbprincipalkey ||
sambalmpassword
|| sambantpassword")(version 3.0; acl "selfservice:Self can
write own
password"; allow (write) userdn="ldap:///self";;)
ipapermtargetfilter:
(&(!(memberOf=cn=iam-managed-users,cn=groups,cn=accounts,dc=ipatest,dc=mydomain,dc=at))(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=ipatest,dc=mydomain,dc=at)))
ipapermissiontype: SYSTEM
ipapermissiontype: V2
ipapermissiontype: MANAGED
aci: (targetattr = "krbpasswordexpiration ||
krbprincipalkey ||
passwordhistory || sambalmpassword || sambantpassword ||
userpassword")(targetfilter =
"(&(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=ipatest,dc=mydomain,dc=at))(objectclass=posixaccount))")(version
3.0;acl "permission:System: Change User password";allow (write)
groupdn
= "ldap:///cn=System: Change User
password,cn=permissions,cn=pbac,dc=ipatest,dc=mydomain,dc=at";)
Modifying the ipapermtargetfilter (manually in LDAP) did not
produce the
aci I was expecting. Do I have to modify it by IPA API means (eg.
CLI?)
or did I modify the wrong attribute?
This is the wrong permission. This handles who can change someone
else's
password. To manage who can change their own you have to modify
'Self
can write own password' via the selfservice plugin.
I see. But when I remove all the password relevant attributes as an
admin users are still able to change their passwords...
You're saying users that are also admins can change their own
passwords?
admins are special so there may be additional ACIs involved.
No. My eypectation was that regular users cannot change their
passwords
anymore after I removed the password attributes from the selfservice
permission you named above.
It is very difficult to help you if you don't show your work.
What does the selfservice entry look like?
How are you testing the password change?
Sorry. I try to be more specific. Initially I wanted to forbid password
change for a certain user group. But now I just wanted to see it working
in general. So... the IPA installation is completely unmodified in this
regard.
What did I try?
Taking away all password-related attributes I found in the "Self can
write own password" permission. I did this with the IPA admin user.
You still haven't shown the selfservice permission.
ipa selfservice-show --raw
Self-service name: Self can write own password
aci: (targetattr = "krbprincipalkey")(version 3.0;acl
"selfservice:Self can write own password";allow (write) userdn =
"ldap:///self";;)
How did you remove all attributes? It should throw an error about
invalid or missing values.
Logged into IPA via the WebGUI as admin. Went to IPA Server->RBAC->Self
Service Permissions. Clicked on "Self can write own password". Unchecked
"userpassword". Clicked on "save". Logged out and logged back in as a
non-admin. Tried password change. Worked. (and my expectation was it
should not have worked.)
krbprincipalkey is also the password, as are all the other attributes in
the permission. If you delete the permission then the next upgrade will
re-create it so I'd suggest removing all attributes from it and adding
something a user already has for themselves, like ipasshpubkey.
Great! It works! (IPA Error 2100: ACIError,
Insufficient access: Invalid credentials)
Thank you for your patience! My IPA time is very limited at the moment...
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
