#2416 Forbid helpdesk role users change admin password
Closed: Fixed None Opened 12 years ago by mkosek.

Ticket #2271 forbid helpdesk role users to change admin password directly, but they can still do this change if they remove admin user membership in admins group or add themselves to admins group:

# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: fbar@IDM.LAB.BOS.REDHAT.COM

# ipa passwd admin
New Password: 
Enter New Password again to verify: 
ipa: ERROR: Insufficient access: Insufficient access rights

But what about this little exercise:

# ipa group-remove-member admins --user=admin
  Group name: admins
  Description: Account administrators group
  GID: 480800000
---------------------------
Number of members removed 1
---------------------------
# ipa passwd admin
New Password: 
Enter New Password again to verify: 
---------------------------------------------------
Changed password for "admin@IDM.LAB.BOS.REDHAT.COM"
---------------------------------------------------
# ipa group-add-member admins --user=admin
  Group name: admins
  Description: Account administrators group
  GID: 480800000
  Member users: admin
-------------------------
Number of members added 1
-------------------------

Looks like this is what needs to be added: (targetfilter = "(!(cn=admins))")

Took me a while on this one because spaces seem to matter in filters. cn = admins != cn=admins.

Metadata Update from @mkosek:
- Issue assigned to rcritten
- Issue set to the milestone: FreeIPA 2.2 Core Effort - 2012/02

7 years ago

Login to comment on this ticket.

Metadata