By default the admin cannot unlock a user.
Steps to reproduce: 1. Login as admin. 2. Add a new user. 3. Unlock the user.
Actual result:
Insufficient access: Insufficient 'write' privilege to the 'krbLoginFailedCount' attribute of entry 'uid=testuser,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com'.
Expected result: The operation should succeed.
Workaround:
ipa role-add-member --groups=admins 'User Administrator'
Good catch, this needs to be fixed before 4.0 GA:
$ kinit admin [root@ipa ~]# echo foo | kinit fbar Password for fbar@MKOSEK-FEDORA20.TEST: kinit: Password incorrect while getting initial credentials [root@ipa ~]# echo foo | kinit fbar Password for fbar@MKOSEK-FEDORA20.TEST: kinit: Password incorrect while getting initial credentials [root@ipa ~]# echo foo | kinit fbar Password for fbar@MKOSEK-FEDORA20.TEST: kinit: Password incorrect while getting initial credentials [root@ipa ~]# echo foo | kinit fbar Password for fbar@MKOSEK-FEDORA20.TEST: kinit: Password incorrect while getting initial credentials [root@ipa ~]# echo foo | kinit fbar Password for fbar@MKOSEK-FEDORA20.TEST: kinit: Password incorrect while getting initial credentials [root@ipa ~]# echo foo | kinit fbar Password for fbar@MKOSEK-FEDORA20.TEST: kinit: Password incorrect while getting initial credentials [root@ipa ~]# echo foo | kinit fbar kinit: Clients credentials have been revoked while getting initial credentials [root@ipa ~]# ipa user-unlock fbar ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'krbLoginFailedCount' attribute of entry 'uid=fbar,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test'.
IMO, we should just remove all attributes in Unlock permission from admin's exception list:
Permission name: System: Unlock User Granted rights: write Effective attributes: krblastadminunlock, krbloginfailedcount, nsaccountlock Default attributes: krbloginfailedcount, krblastadminunlock, nsaccountlock Bind rule type: permission Subtree: cn=users,cn=accounts,dc=mkosek-fedora20,dc=test Type: user Granted to Privilege: User Administrators Indirect Member of roles: User Administrator
master:
Metadata Update from @edewata: - Issue assigned to pviktori - Issue set to the milestone: FreeIPA 4.0 GA
Login to comment on this ticket.