Ronald Wimmer wrote: > > > On 13.02.25 17:42, Rob Crittenden wrote: >> Ronald Wimmer wrote: >>> On 12.02.25 19:15, Rob Crittenden wrote: >>>> More specifics would help. How did it not work as expected? What is the >>>> full ACI you came up with? >>>> >>>> The idea is that this is granted to all authenticated users EXCEPT >>>> those >>>> in the, in your case, iam-managed-users and admins groups. >>>> >>> We did not user RBAC much up to now. So it is very likely that I did not >>> fully grasp the whole concept yet. >>> >>> What I did was adding users to a group called >>> cn=iam-managed-users,cn=groups,cn=accounts,dc=linux,dc=mydomain,dc=at >>> and modifying the target filter to >>> (&(!(memberOf=cn=iam-managed-users,cn=groups,cn=accounts,dc=linux,dc=mydomain,dc=at))(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=linux,dc=mydomain,dc=at))). >>> >>> >>> >>> Nothing else. Because I thought the "System: Change User" permission >>> applies to all IPA users by default. This assumption might probably be >>> wrong... >>> >>> >> >> It is controlled by 'Self can write own password' >> >> $ ipa selfservice-show 'Self can write own password' >> Self-service name: Self can write own password >> Permissions: write >> Attributes: userpassword, krbprincipalkey, sambalmpassword, >> sambantpassword >> >> aci: (targetattr = "userpassword || krbprincipalkey || sambalmpassword >> || sambantpassword")(version 3.0; acl "selfservice:Self can write own >> password"; allow (write) userdn="ldap:///self";;) > > ipapermtargetfilter: > (&(!(memberOf=cn=iam-managed-users,cn=groups,cn=accounts,dc=ipatest,dc=mydomain,dc=at))(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=ipatest,dc=mydomain,dc=at))) > > ipapermissiontype: SYSTEM > ipapermissiontype: V2 > ipapermissiontype: MANAGED > aci: (targetattr = "krbpasswordexpiration || krbprincipalkey || > passwordhistory || sambalmpassword || sambantpassword || > userpassword")(targetfilter = > "(&(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=ipatest,dc=mydomain,dc=at))(objectclass=posixaccount))")(version > 3.0;acl "permission:System: Change User password";allow (write) groupdn > = "ldap:///cn=System: Change User > password,cn=permissions,cn=pbac,dc=ipatest,dc=mydomain,dc=at";) > > Modifying the ipapermtargetfilter (manually in LDAP) did not produce the > aci I was expecting. Do I have to modify it by IPA API means (eg. CLI?) > or did I modify the wrong attribute?
This is the wrong permission. This handles who can change someone else's password. To manage who can change their own you have to modify 'Self can write own password' via the selfservice plugin. rob -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
