On ma, 18 maalis 2019, Mateusz O via FreeIPA-users wrote:
Hello,
I want to gave users possibility to change their password, but when I
log in using user from ipausers group I can view others account and
reset their passwords. How to block it? I wan to set everything to
block a normal user from group ipausers view others account (he's able
to see only his account) and reset only his password.
See
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Can you expand a bit on the second part of your question? A user other
than being a member of a role that allows to reset others' passwords
cannot reset anyone's but his/her own password.
There is a helpdesk role that gives access to the 'Modify Users and
Reset passwords' privilege. May be your users are members of a such
role?
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland