On Fri, 02 Sep 2016, Mike Driscoll wrote:
Hello. I want to script the new user creation process. I read in section 9.4 that "any user who has password change rights can change a password and no password policies are applied, but the other user must reset the password at the next login.” I want to create an account with this limited capability for inclusion in a script. But I can’t figure out how to configure an account to have this capability without being a full admin. How can I create new user accounts and set initial passwords in a script?
You need to create a permission that allows to write to password attributes. Then create a privilege and role that utilize this permission.
Then you would assign the user that is capable to reset passwords to that role and it should be enough. I recently wrote an article how to create new permissions: https://vda.li/en/posts/2016/08/30/Creating-permissions-in-FreeIPA/ You only need to look at selfservice 'Self can write own password' and create a normal permission with similar effective attributes: # ipa selfservice-show 'Self can write own password' Self-service name: Self can write own password Permissions: write Attributes: userpassword, krbprincipalkey, sambalmpassword, sambantpassword Note the difference between selfservice and permission -- the former is always executed against SELFDN of a bind identity, e.g. those who authenticate, the latter can take care of both the target and the bind identity. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project