On 12.02.24 14:36, Christian Heimes via FreeIPA-users wrote:
On 12/02/2024 14.15, Christian Heimes wrote:
While writing the lines above another question came up in my mind:
Is there a way to forbid password modification for IPA users so that
users are forced to do that in an external sytem?
Yes, that's easy, remove the self service permission "Self can write
own password".
Actually, it's not *that* trivial. Alexander just pointed out to me,
that this will break service and host accounts requesting their own
keytab. Ops!
You may be able to archive the desired effect by replacing the ACI with
a different self-service ACI that permits self-write for everybody
except externally managed user accounts. Perhaps you can add your
external users to a non-POSIX group and add a filter like
(targetfilter =
"(memberOf!=cn=external-passwords,cn=groups,cn=accounts,$SUFFIX)")
to the self-service ACI.
That's a great idea. Thanks for that!
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue