Hello, Sorry for the late reply. This is the latest FreeIPA version in CentOS 7.3 (4.4.0-14).
Indeed the helpdesk role should be sufficient. I tried with the User Administrator role as well, but that made no difference. Since it's working for you, it's likely a config error, but I have no idea where to look at this point. Do you have any pointers? On 4 August 2017 at 19:19, Rob Crittenden <rcrit...@redhat.com> wrote: > Tiemen Ruiten via FreeIPA-users wrote: > > As I mentioned in my first mail, that doesn't work. For testing, I > > created a new role that contains the following privileges: > > > > Group Administrators > > Modify Group membership > > Modify Users and Reset passwords > > User Administrators > > > > Unfortunately, I get the same error. > > What version of IPA is this? The helpdesk role should be sufficient (and > works for me). > > rob > > > > > On 4 August 2017 at 17:40, Bob Rentschler <bob.rentsch...@gmail.com > > <mailto:bob.rentsch...@gmail.com>> wrote: > > > > Assigning roles to your userwill fix that issue. The existing "User > > Administrator" role may fit your needs, but I am unsure how > restrictive > > you want to be with permissions. > > > > > > If you want to be more restrictive a custom role with "System: > > Change User password" permissions would seem to be the right way. > > > > Make a privilege that contains only that permission (and and other > > missing permissions down the road) add it to a new role and then > > assign that role to your user. > > > > > > Bob > > > > On Fri, Aug 4, 2017 at 10:12 AM, Tiemen Ruiten via FreeIPA-users > > <freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org>> wrote: > > > > Hello, > > > > I setup an LDAP User Federation in Keycloak to our FreeIPA > > domain. Unfortunately, the password reset functionality appears > > to only work when the user Keycloak binds as is in the admins > > group. I tried both the User Administrator and helpdesk roles, > > but always got this error: > > > > Caused by: javax.naming.NoPermissionException: [LDAP: error code > > 50 - Insufficient 'write' privilege to the 'userPassword' > > attribute of entry > > 'uid=xxxxx,cn=users,cn=accounts,dc=example,dc=com' > > > > Is there a way to allow password resets without adding the > > keycloak bind user to the admins group? > > > > > > -- > > Tiemen Ruiten > > Systems Engineer > > R&D Media > > > > _______________________________________________ > > FreeIPA-users mailing list -- > > freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org> > > To unsubscribe send an email to > > freeipa-users-le...@lists.fedorahosted.org > > <mailto:freeipa-users-le...@lists.fedorahosted.org> > > > > > > > > > > > > -- > > Tiemen Ruiten > > Systems Engineer > > R&D Media > > > > > > _______________________________________________ > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > > To unsubscribe send an email to freeipa-users-leave@lists. > fedorahosted.org > > > > -- Tiemen Ruiten Systems Engineer R&D Media
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org