Tiemen Ruiten via FreeIPA-users wrote: > As I mentioned in my first mail, that doesn't work. For testing, I > created a new role that contains the following privileges: > > Group Administrators > Modify Group membership > Modify Users and Reset passwords > User Administrators > > Unfortunately, I get the same error.
What version of IPA is this? The helpdesk role should be sufficient (and works for me). rob > > On 4 August 2017 at 17:40, Bob Rentschler <bob.rentsch...@gmail.com > <mailto:bob.rentsch...@gmail.com>> wrote: > > Assigning roles to your userwill fix that issue. The existing "User > Administrator" role may fit your needs, but I am unsure how restrictive > you want to be with permissions. > > > If you want to be more restrictive a custom role with "System: > Change User password" permissions would seem to be the right way. > > Make a privilege that contains only that permission (and and other > missing permissions down the road) add it to a new role and then > assign that role to your user. > > > Bob > > On Fri, Aug 4, 2017 at 10:12 AM, Tiemen Ruiten via FreeIPA-users > <freeipa-users@lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org>> wrote: > > Hello, > > I setup an LDAP User Federation in Keycloak to our FreeIPA > domain. Unfortunately, the password reset functionality appears > to only work when the user Keycloak binds as is in the admins > group. I tried both the User Administrator and helpdesk roles, > but always got this error: > > Caused by: javax.naming.NoPermissionException: [LDAP: error code > 50 - Insufficient 'write' privilege to the 'userPassword' > attribute of entry > 'uid=xxxxx,cn=users,cn=accounts,dc=example,dc=com' > > Is there a way to allow password resets without adding the > keycloak bind user to the admins group? > > > -- > Tiemen Ruiten > Systems Engineer > R&D Media > > _______________________________________________ > FreeIPA-users mailing list -- > freeipa-users@lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org> > To unsubscribe send an email to > freeipa-users-le...@lists.fedorahosted.org > <mailto:freeipa-users-le...@lists.fedorahosted.org> > > > > > > -- > Tiemen Ruiten > Systems Engineer > R&D Media > > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org