On 12/02/2024 14.15, Christian Heimes wrote:
While writing the lines above another question came up in my mind:
Is there a way to forbid password modification for IPA users so that
users are forced to do that in an external sytem?
Yes, that's easy, remove the self service permission "Self can write own
password".
Actually, it's not *that* trivial. Alexander just pointed out to me,
that this will break service and host accounts requesting their own
keytab. Ops!
You may be able to archive the desired effect by replacing the ACI with
a different self-service ACI that permits self-write for everybody
except externally managed user accounts. Perhaps you can add your
external users to a non-POSIX group and add a filter like
(targetfilter =
"(memberOf!=cn=external-passwords,cn=groups,cn=accounts,$SUFFIX)")
to the self-service ACI.
Christian
--
Christian Heimes
Principal Software Engineer, Identity Management and Platform Security
Red Hat GmbH, https://de.redhat.com/ , Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Brian Klemm, Laurie Krebs, Michael
O'Neill
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
