Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1519723
Description of problem: I don't know if this has been on purpose as a feature or if it could be considered as a bug. Customers are confused about this. For them, adding a user to the group "cn=admins" is enough to make a user have the same rights of "admin" user. But there's at least a Permission missing, that is to be able to do this: aci: (targetattr = "krblastpwdchange || krbpasswordexpiration || krbprincipalk ey || userpassword")(target = "ldap:///uid=*,cn=deleted users,cn=accounts,cn= provisioning,dc=cgparente,dc=local")(targetfilter = "(objectclass=posixaccoun t)")(version 3.0;acl "permission:System: Reset Preserved User password";allow (read,search,write) groupdn = "ldap:///cn=System: Reset Preserved User passw ord,cn=permissions,cn=pbac,dc=cgparente,dc=local";) Example: user "example" is member of admin groups: ipa group-show admins Group name: admins Description: Account administrators group GID: 142600000 Member users: admin, example Member of groups: ad_users kinit example Password for example@CGPARENTE.LOCAL: ipa user-del test --preserve ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'krbLastPwdChange' attribute of entry 'uid=test,cn=deleted users,cn=accounts,cn=provisioning,dc=cgparente,dc=local' ipa role-add-member "User Administrator" --user=example kinit example ipa user-del test --preserve Works.
Metadata Update from @frenaud: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1519723
Metadata Update from @frenaud: - Issue assigned to frenaud
Metadata Update from @frenaud: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/1426
Metadata Update from @frenaud: - Issue priority set to: important - Issue set to the milestone: FreeIPA 4.6.3
Metadata Update from @rcritten: - Issue set to the milestone: FreeIPA 4.6.4 (was: FreeIPA 4.6.3)
FreeIPA 4.6.3 has been released, moving to FreeIPA 4.6.4 milestone
master:
ipa-4-6:
Metadata Update from @frenaud: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.