Ticket #2271 forbid helpdesk role users to change admin password directly, but they can still do this change if they remove admin user membership in admins group or add themselves to admins group:
# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: fbar@IDM.LAB.BOS.REDHAT.COM # ipa passwd admin New Password: Enter New Password again to verify: ipa: ERROR: Insufficient access: Insufficient access rights But what about this little exercise: # ipa group-remove-member admins --user=admin Group name: admins Description: Account administrators group GID: 480800000 --------------------------- Number of members removed 1 --------------------------- # ipa passwd admin New Password: Enter New Password again to verify: --------------------------------------------------- Changed password for "admin@IDM.LAB.BOS.REDHAT.COM" --------------------------------------------------- # ipa group-add-member admins --user=admin Group name: admins Description: Account administrators group GID: 480800000 Member users: admin ------------------------- Number of members added 1 -------------------------
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=773759 (Red Hat Enterprise Linux 6)
Looks like this is what needs to be added: (targetfilter = "(!(cn=admins))")
Took me a while on this one because spaces seem to matter in filters. cn = admins != cn=admins.
attachment freeipa-rcrit-955-admins.patch
master: 960baae[[BR]] ipa-2-2: 3961aa8
Metadata Update from @mkosek: - Issue assigned to rcritten - Issue set to the milestone: FreeIPA 2.2 Core Effort - 2012/02
Login to comment on this ticket.