Ronald Wimmer wrote:
On 19.02.25 13:48, Rob Crittenden via FreeIPA-users wrote:
Ronald Wimmer wrote:
On 13.02.25 17:42, Rob Crittenden wrote:
Ronald Wimmer wrote:
On 12.02.25 19:15, Rob Crittenden wrote:
More specifics would help. How did it not work as expected? What is the full ACI you came up with?
The idea is that this is granted to all authenticated users EXCEPT those in the, in your case, iam-managed-users and admins groups.
We did not user RBAC much up to now. So it is very likely that I did not fully grasp the whole concept yet.
What I did was adding users to a group called cn=iam-managed-users,cn=groups,cn=accounts,dc=linux,dc=mydomain,dc=at and modifying the target filter to (&(!(memberOf=cn=iam-managed-users,cn=groups,cn=accounts,dc=linux,dc=mydomain,dc=at))(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=linux,dc=mydomain,dc=at))).
Nothing else. Because I thought the "System: Change User" permission applies to all IPA users by default. This assumption might probably be wrong...
It is controlled by 'Self can write own password'
$ ipa selfservice-show 'Self can write own password' Self-service name: Self can write own password Permissions: write Attributes: userpassword, krbprincipalkey, sambalmpassword, sambantpassword
aci: (targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)
ipapermtargetfilter: (&(!(memberOf=cn=iam-managed-users,cn=groups,cn=accounts,dc=ipatest,dc=mydomain,dc=at))(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=ipatest,dc=mydomain,dc=at)))
ipapermissiontype: SYSTEM ipapermissiontype: V2 ipapermissiontype: MANAGED aci: (targetattr = "krbpasswordexpiration || krbprincipalkey || passwordhistory || sambalmpassword || sambantpassword || userpassword")(targetfilter = "(&(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=ipatest,dc=mydomain,dc=at))(objectclass=posixaccount))")(version
3.0;acl "permission:System: Change User password";allow (write) groupdn = "ldap:///cn=System: Change User password,cn=permissions,cn=pbac,dc=ipatest,dc=mydomain,dc=at";)
Modifying the ipapermtargetfilter (manually in LDAP) did not produce the aci I was expecting. Do I have to modify it by IPA API means (eg. CLI?) or did I modify the wrong attribute?
This is the wrong permission. This handles who can change someone else's password. To manage who can change their own you have to modify 'Self can write own password' via the selfservice plugin.
I see. But when I remove all the password relevant attributes as an admin users are still able to change their passwords...
You're saying users that are also admins can change their own passwords? admins are special so there may be additional ACIs involved.
rob
On 19.02.25 15:54, Rob Crittenden via FreeIPA-users wrote:
Ronald Wimmer wrote:
On 19.02.25 13:48, Rob Crittenden via FreeIPA-users wrote:
Ronald Wimmer wrote:
On 13.02.25 17:42, Rob Crittenden wrote:
Ronald Wimmer wrote:
On 12.02.25 19:15, Rob Crittenden wrote: > More specifics would help. How did it not work as expected? What > is the > full ACI you came up with? > > The idea is that this is granted to all authenticated users EXCEPT > those > in the, in your case, iam-managed-users and admins groups. > We did not user RBAC much up to now. So it is very likely that I did not fully grasp the whole concept yet.
What I did was adding users to a group called cn=iam-managed-users,cn=groups,cn=accounts,dc=linux,dc=mydomain,dc=at and modifying the target filter to (&(!(memberOf=cn=iam-managed-users,cn=groups,cn=accounts,dc=linux,dc=mydomain,dc=at))(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=linux,dc=mydomain,dc=at))).
Nothing else. Because I thought the "System: Change User" permission applies to all IPA users by default. This assumption might probably be wrong...
It is controlled by 'Self can write own password'
$ ipa selfservice-show 'Self can write own password' Self-service name: Self can write own password Permissions: write Attributes: userpassword, krbprincipalkey, sambalmpassword, sambantpassword
aci: (targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)
ipapermtargetfilter: (&(!(memberOf=cn=iam-managed-users,cn=groups,cn=accounts,dc=ipatest,dc=mydomain,dc=at))(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=ipatest,dc=mydomain,dc=at)))
ipapermissiontype: SYSTEM ipapermissiontype: V2 ipapermissiontype: MANAGED aci: (targetattr = "krbpasswordexpiration || krbprincipalkey || passwordhistory || sambalmpassword || sambantpassword || userpassword")(targetfilter = "(&(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=ipatest,dc=mydomain,dc=at))(objectclass=posixaccount))")(version
3.0;acl "permission:System: Change User password";allow (write) groupdn = "ldap:///cn=System: Change User password,cn=permissions,cn=pbac,dc=ipatest,dc=mydomain,dc=at";)
Modifying the ipapermtargetfilter (manually in LDAP) did not produce the aci I was expecting. Do I have to modify it by IPA API means (eg. CLI?) or did I modify the wrong attribute?
This is the wrong permission. This handles who can change someone else's password. To manage who can change their own you have to modify 'Self can write own password' via the selfservice plugin.
I see. But when I remove all the password relevant attributes as an admin users are still able to change their passwords...
You're saying users that are also admins can change their own passwords? admins are special so there may be additional ACIs involved.
No. My eypectation was that regular users cannot change their passwords anymore after I removed the password attributes from the selfservice permission you named above.
Ronald Wimmer via FreeIPA-users wrote:
On 19.02.25 15:54, Rob Crittenden via FreeIPA-users wrote:
Ronald Wimmer wrote:
On 19.02.25 13:48, Rob Crittenden via FreeIPA-users wrote:
Ronald Wimmer wrote:
On 13.02.25 17:42, Rob Crittenden wrote:
Ronald Wimmer wrote: > On 12.02.25 19:15, Rob Crittenden wrote: >> More specifics would help. How did it not work as expected? What >> is the >> full ACI you came up with? >> >> The idea is that this is granted to all authenticated users EXCEPT >> those >> in the, in your case, iam-managed-users and admins groups. >> > We did not user RBAC much up to now. So it is very likely that I > did not > fully grasp the whole concept yet. > > What I did was adding users to a group called > cn=iam-managed-users,cn=groups,cn=accounts,dc=linux,dc=mydomain,dc=at > > and modifying the target filter to > (&(!(memberOf=cn=iam-managed-users,cn=groups,cn=accounts,dc=linux,dc=mydomain,dc=at))(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=linux,dc=mydomain,dc=at))). > > > > > > Nothing else. Because I thought the "System: Change User" permission > applies to all IPA users by default. This assumption might > probably be > wrong... > >
It is controlled by 'Self can write own password'
$ ipa selfservice-show 'Self can write own password' Self-service name: Self can write own password Permissions: write Attributes: userpassword, krbprincipalkey, sambalmpassword, sambantpassword
aci: (targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)
ipapermtargetfilter: (&(!(memberOf=cn=iam-managed-users,cn=groups,cn=accounts,dc=ipatest,dc=mydomain,dc=at))(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=ipatest,dc=mydomain,dc=at)))
ipapermissiontype: SYSTEM ipapermissiontype: V2 ipapermissiontype: MANAGED aci: (targetattr = "krbpasswordexpiration || krbprincipalkey || passwordhistory || sambalmpassword || sambantpassword || userpassword")(targetfilter = "(&(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=ipatest,dc=mydomain,dc=at))(objectclass=posixaccount))")(version
3.0;acl "permission:System: Change User password";allow (write) groupdn = "ldap:///cn=System: Change User password,cn=permissions,cn=pbac,dc=ipatest,dc=mydomain,dc=at";)
Modifying the ipapermtargetfilter (manually in LDAP) did not produce the aci I was expecting. Do I have to modify it by IPA API means (eg. CLI?) or did I modify the wrong attribute?
This is the wrong permission. This handles who can change someone else's password. To manage who can change their own you have to modify 'Self can write own password' via the selfservice plugin.
I see. But when I remove all the password relevant attributes as an admin users are still able to change their passwords...
You're saying users that are also admins can change their own passwords? admins are special so there may be additional ACIs involved.
No. My eypectation was that regular users cannot change their passwords anymore after I removed the password attributes from the selfservice permission you named above.
It is very difficult to help you if you don't show your work.
What does the selfservice entry look like?
How are you testing the password change?
rob
On 19.02.25 16:40, Rob Crittenden via FreeIPA-users wrote:
Ronald Wimmer via FreeIPA-users wrote:
On 19.02.25 15:54, Rob Crittenden via FreeIPA-users wrote:
Ronald Wimmer wrote:
On 19.02.25 13:48, Rob Crittenden via FreeIPA-users wrote:
Ronald Wimmer wrote:
On 13.02.25 17:42, Rob Crittenden wrote: > Ronald Wimmer wrote: >> On 12.02.25 19:15, Rob Crittenden wrote: >>> More specifics would help. How did it not work as expected? What >>> is the >>> full ACI you came up with? >>> >>> The idea is that this is granted to all authenticated users EXCEPT >>> those >>> in the, in your case, iam-managed-users and admins groups. >>> >> We did not user RBAC much up to now. So it is very likely that I >> did not >> fully grasp the whole concept yet. >> >> What I did was adding users to a group called >> cn=iam-managed-users,cn=groups,cn=accounts,dc=linux,dc=mydomain,dc=at >> >> and modifying the target filter to >> (&(!(memberOf=cn=iam-managed-users,cn=groups,cn=accounts,dc=linux,dc=mydomain,dc=at))(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=linux,dc=mydomain,dc=at))). >> >> >> >> >> >> Nothing else. Because I thought the "System: Change User" permission >> applies to all IPA users by default. This assumption might >> probably be >> wrong... >> >> > > It is controlled by 'Self can write own password' > > $ ipa selfservice-show 'Self can write own password' > Self-service name: Self can write own password > Permissions: write > Attributes: userpassword, krbprincipalkey, sambalmpassword, > sambantpassword > > aci: (targetattr = "userpassword || krbprincipalkey || > sambalmpassword > || sambantpassword")(version 3.0; acl "selfservice:Self can write own > password"; allow (write) userdn="ldap:///self";)
ipapermtargetfilter: (&(!(memberOf=cn=iam-managed-users,cn=groups,cn=accounts,dc=ipatest,dc=mydomain,dc=at))(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=ipatest,dc=mydomain,dc=at)))
ipapermissiontype: SYSTEM ipapermissiontype: V2 ipapermissiontype: MANAGED aci: (targetattr = "krbpasswordexpiration || krbprincipalkey || passwordhistory || sambalmpassword || sambantpassword || userpassword")(targetfilter = "(&(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=ipatest,dc=mydomain,dc=at))(objectclass=posixaccount))")(version
3.0;acl "permission:System: Change User password";allow (write) groupdn = "ldap:///cn=System: Change User password,cn=permissions,cn=pbac,dc=ipatest,dc=mydomain,dc=at";)
Modifying the ipapermtargetfilter (manually in LDAP) did not produce the aci I was expecting. Do I have to modify it by IPA API means (eg. CLI?) or did I modify the wrong attribute?
This is the wrong permission. This handles who can change someone else's password. To manage who can change their own you have to modify 'Self can write own password' via the selfservice plugin.
I see. But when I remove all the password relevant attributes as an admin users are still able to change their passwords...
You're saying users that are also admins can change their own passwords? admins are special so there may be additional ACIs involved.
No. My eypectation was that regular users cannot change their passwords anymore after I removed the password attributes from the selfservice permission you named above.
It is very difficult to help you if you don't show your work.
What does the selfservice entry look like?
How are you testing the password change?
Sorry. I try to be more specific. Initially I wanted to forbid password change for a certain user group. But now I just wanted to see it working in general. So... the IPA installation is completely unmodified in this regard.
What did I try? Taking away all password-related attributes I found in the "Self can write own password" permission. I did this with the IPA admin user.
What did I expect? That all non-admins cannot change their passwords anymore.
How did I try it? Logged in with a non admin account on the IPA WebGUI and tried a password change. (which unfortunately worked)
Ronald Wimmer via FreeIPA-users wrote:
On 19.02.25 16:40, Rob Crittenden via FreeIPA-users wrote:
Ronald Wimmer via FreeIPA-users wrote:
On 19.02.25 15:54, Rob Crittenden via FreeIPA-users wrote:
Ronald Wimmer wrote:
On 19.02.25 13:48, Rob Crittenden via FreeIPA-users wrote:
Ronald Wimmer wrote: > > > On 13.02.25 17:42, Rob Crittenden wrote: >> Ronald Wimmer wrote: >>> On 12.02.25 19:15, Rob Crittenden wrote: >>>> More specifics would help. How did it not work as expected? What >>>> is the >>>> full ACI you came up with? >>>> >>>> The idea is that this is granted to all authenticated users >>>> EXCEPT >>>> those >>>> in the, in your case, iam-managed-users and admins groups. >>>> >>> We did not user RBAC much up to now. So it is very likely that I >>> did not >>> fully grasp the whole concept yet. >>> >>> What I did was adding users to a group called >>> cn=iam-managed-users,cn=groups,cn=accounts,dc=linux,dc=mydomain,dc=at >>> >>> >>> and modifying the target filter to >>> (&(!(memberOf=cn=iam-managed-users,cn=groups,cn=accounts,dc=linux,dc=mydomain,dc=at))(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=linux,dc=mydomain,dc=at))). >>> >>> >>> >>> >>> >>> >>> Nothing else. Because I thought the "System: Change User" >>> permission >>> applies to all IPA users by default. This assumption might >>> probably be >>> wrong... >>> >>> >> >> It is controlled by 'Self can write own password' >> >> $ ipa selfservice-show 'Self can write own password' >> Self-service name: Self can write own password >> Permissions: write >> Attributes: userpassword, krbprincipalkey, sambalmpassword, >> sambantpassword >> >> aci: (targetattr = "userpassword || krbprincipalkey || >> sambalmpassword >> || sambantpassword")(version 3.0; acl "selfservice:Self can >> write own >> password"; allow (write) userdn="ldap:///self";) > > ipapermtargetfilter: > (&(!(memberOf=cn=iam-managed-users,cn=groups,cn=accounts,dc=ipatest,dc=mydomain,dc=at))(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=ipatest,dc=mydomain,dc=at))) > > > > > ipapermissiontype: SYSTEM > ipapermissiontype: V2 > ipapermissiontype: MANAGED > aci: (targetattr = "krbpasswordexpiration || krbprincipalkey || > passwordhistory || sambalmpassword || sambantpassword || > userpassword")(targetfilter = > "(&(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=ipatest,dc=mydomain,dc=at))(objectclass=posixaccount))")(version > > > > 3.0;acl "permission:System: Change User password";allow (write) > groupdn > = "ldap:///cn=System: Change User > password,cn=permissions,cn=pbac,dc=ipatest,dc=mydomain,dc=at";) > > Modifying the ipapermtargetfilter (manually in LDAP) did not > produce the > aci I was expecting. Do I have to modify it by IPA API means (eg. > CLI?) > or did I modify the wrong attribute?
This is the wrong permission. This handles who can change someone else's password. To manage who can change their own you have to modify 'Self can write own password' via the selfservice plugin.
I see. But when I remove all the password relevant attributes as an admin users are still able to change their passwords...
You're saying users that are also admins can change their own passwords? admins are special so there may be additional ACIs involved.
No. My eypectation was that regular users cannot change their passwords anymore after I removed the password attributes from the selfservice permission you named above.
It is very difficult to help you if you don't show your work.
What does the selfservice entry look like?
How are you testing the password change?
Sorry. I try to be more specific. Initially I wanted to forbid password change for a certain user group. But now I just wanted to see it working in general. So... the IPA installation is completely unmodified in this regard.
What did I try? Taking away all password-related attributes I found in the "Self can write own password" permission. I did this with the IPA admin user.
You still haven't shown the selfservice permission.
How did you remove all attributes? It should throw an error about invalid or missing values.
rob
What did I expect? That all non-admins cannot change their passwords anymore.
How did I try it? Logged in with a non admin account on the IPA WebGUI and tried a password change. (which unfortunately worked)
freeipa-users@lists.fedorahosted.org
-
Rob Crittenden -
Ronald Wimmer