search

larrabee / freeipa-password-reset

Self-service password reset app for FreeIPA
GNU General Public License v3.0
88 stars 30 forks source link

Cannot update your password. Insufficient access: Insufficient 'write' privilege to the 'userPassword' attribute of entry '<DN-NAME-HERE>'. #48

Open evgenyvasilchenko opened 3 years ago

evgenyvasilchenko commented 3 years ago

Getting the below error message on reset page:

Cannot update your password. Insufficient access: Insufficient 'write' privilege to the 'userPassword' attribute of entry ''.

image

Adding user to "ldap-passwd-reset" to the "admins" FreeIPA group helps to solve the issue, but I don't want to leave it permanently over there.

CentOS Linux release 7.9.2009 (Core)

$ ipa --version VERSION: 4.6.8, API_VERSION: 2.237

The latest version of the freeipa-password-reset as of Jan 4th, 2021

larrabee commented 3 years ago

Привет. Проверь, что у тебя выполнены шаги:

ipa role-add "Self Password Reset"
ipa role-add-member "Self Password Reset" --users="ldap-passwd-reset"
ipa role-add-privilege "Self Password Reset" --privileges="Modify Users and Reset passwords"
ipa role-add-privilege "Self Password Reset" --privileges="Password Policy Readers"
ipa role-add-privilege "Self Password Reset" --privileges="Kerberos Ticket Policy Readers"
ipa permission-mod "System: Change User password" --includedattrs="krbloginfailedcount"

Посмотреть выданные юзеру привелегии можно в веб интерфейсе. У приведегии "Modify Users and Reset passwords" должно быть право записи в поле userPassword (по дефолту оно есть).

evgenyvasilchenko commented 3 years ago

Привет Владимир!

Да я проверил конечно прежде чем писать. Но сейчас ещё раз перепроверю на всякий случай.

Спасибо!

Евгений

On Fri., Jan. 8, 2021, 5:37 a.m. Vladimir Buyanov notifications@github.com wrote:

Привет. Проверь, что у тебя выполнены шаги:

ipa role-add "Self Password Reset"

ipa role-add-member "Self Password Reset" --users="ldap-passwd-reset"

ipa role-add-privilege "Self Password Reset" --privileges="Modify Users and Reset passwords"

ipa role-add-privilege "Self Password Reset" --privileges="Password Policy Readers"

ipa role-add-privilege "Self Password Reset" --privileges="Kerberos Ticket Policy Readers"

ipa permission-mod "System: Change User password" --includedattrs="krbloginfailedcount"

Посмотреть выданные юзеру привелегии можно в веб интерфейсе. У приведегии "Modify Users and Reset passwords" должно быть право записи в поле userPassword (по дефолту оно есть).

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/larrabee/freeipa-password-reset/issues/48#issuecomment-756759573, or unsubscribe https://github.com/notifications/unsubscribe-auth/AEDDD7VAYIZUD75JK47VD73SY4DDJANCNFSM4VT5S7WA .

g0ha1 commented 2 years ago

Привет, это сообщение появляется при попытке сменить пароль юзеру, состоящему в группе "admins". Обычных юзеров это не затрагивает.

vmario89 commented 1 year ago

translated the last comment "Hi, this message appears when you try to change the password for a user who is a member of the "admins" group. This does not affect regular users.". Indeed this seems to be the issue at my case, because i get the same error message