Assigning roles to your userwill fix that issue. The existing "User Administrator" role may fit your needs, but I am unsure how restrictive you want to be with permissions.
If you want to be more restrictive a custom role with "System: Change User password" permissions would seem to be the right way. Make a privilege that contains only that permission (and and other missing permissions down the road) add it to a new role and then assign that role to your user. Bob On Fri, Aug 4, 2017 at 10:12 AM, Tiemen Ruiten via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hello, > > I setup an LDAP User Federation in Keycloak to our FreeIPA domain. > Unfortunately, the password reset functionality appears to only work when > the user Keycloak binds as is in the admins group. I tried both the User > Administrator and helpdesk roles, but always got this error: > > Caused by: javax.naming.NoPermissionException: [LDAP: error code 50 - > Insufficient 'write' privilege to the 'userPassword' attribute of entry > 'uid=xxxxx,cn=users,cn=accounts,dc=example,dc=com' > > Is there a way to allow password resets without adding the keycloak bind > user to the admins group? > > > -- > Tiemen Ruiten > Systems Engineer > R&D Media > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > >
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org