On 12/02/2024 14.15, Christian Heimes wrote:
While writing the lines above another question came up in my mind: Is there a way to forbid password modification for IPA users so that users are forced to do that in an external sytem?
Yes, that's easy, remove the self service permission "Self can write own password".
Actually, it's not *that* trivial. Alexander just pointed out to me, that this will break service and host accounts requesting their own keytab. Ops!
You may be able to archive the desired effect by replacing the ACI with a different self-service ACI that permits self-write for everybody except externally managed user accounts. Perhaps you can add your external users to a non-POSIX group and add a filter like
(targetfilter = "(memberOf!=cn=external-passwords,cn=groups,cn=accounts,$SUFFIX)")
to the self-service ACI.
Christian