#9489 The change for preventing deletion of the admin user caused a regression in disable
Closed: fixed 9 months ago by frenaud. Opened a year ago by rcritten.

Issue

https://pagure.io/freeipa/issue/8878 provided a change to prevent the admin user from being deleted. The function check_protected_member() was updated to skip the group check and enforce that protected users aren't being changed.

The check for disabling the last admin should be restored.

Steps to Reproduce

  1. ipa user-disable admin

Actual behavior

$ ipa user-disable admin
ipa: ERROR: user admin cannot be deleted/modified: privileged user


Metadata Update from @rcritten:
- Issue assigned to rcritten

9 months ago

Hello,
we use a FreeIPA (docker: freeipa/freeipa-server:rocky-9-4.10.2) based central auth-system for our VPN connection. The VPN endpoint is opened widely, now there is nonstop brute-force-attacking.

We have a high-security admin pw, but it would be better to disable admin account - is there a way to do so?

Regards, Bence

master:

  • 6b0f6ff Allow the admin user to be disabled

ipa-4-11:

  • 93ecb29 Allow the admin user to be disabled

ipa-4-10:

  • b8c5b93 Allow the admin user to be disabled

ipa-4-9:

  • 137814f Allow the admin user to be disabled

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

9 months ago

master:

  • dda2236 webui test: Update message for admin disable

ipa-4-11:

  • 0ccff90 webui test: Update message for admin disable

ipa-4-10:

  • d2fa124 webui test: Update message for admin disable

ipa-4-9:

  • 36d0933 webui test: Update message for admin disable
9 months ago

Log in to comment on this ticket.

Metadata