Ronald Wimmer wrote:
On 19.02.25 19:37, Rob Crittenden wrote:
Ronald Wimmer via FreeIPA-users wrote:
On 19.02.25 16:40, Rob Crittenden via FreeIPA-users wrote:
Ronald Wimmer via FreeIPA-users wrote:
On 19.02.25 15:54, Rob Crittenden via FreeIPA-users wrote:
Ronald Wimmer wrote: > On 19.02.25 13:48, Rob Crittenden via FreeIPA-users wrote: >> Ronald Wimmer wrote: >>> >>> >>> On 13.02.25 17:42, Rob Crittenden wrote: >>>> Ronald Wimmer wrote: >>>>> On 12.02.25 19:15, Rob Crittenden wrote: >>>>>> More specifics would help. How did it not work as expected? >>>>>> What >>>>>> is the >>>>>> full ACI you came up with? >>>>>> >>>>>> The idea is that this is granted to all authenticated users >>>>>> EXCEPT >>>>>> those >>>>>> in the, in your case, iam-managed-users and admins groups. >>>>>> >>>>> We did not user RBAC much up to now. So it is very likely that I >>>>> did not >>>>> fully grasp the whole concept yet. >>>>> >>>>> What I did was adding users to a group called >>>>> cn=iam-managed-users,cn=groups,cn=accounts,dc=linux,dc=mydomain,dc=at >>>>> >>>>> >>>>> >>>>> and modifying the target filter to >>>>> (&(!(memberOf=cn=iam-managed-users,cn=groups,cn=accounts,dc=linux,dc=mydomain,dc=at))(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=linux,dc=mydomain,dc=at))). >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> Nothing else. Because I thought the "System: Change User" >>>>> permission >>>>> applies to all IPA users by default. This assumption might >>>>> probably be >>>>> wrong... >>>>> >>>>> >>>> >>>> It is controlled by 'Self can write own password' >>>> >>>> $ ipa selfservice-show 'Self can write own password' >>>> Self-service name: Self can write own password >>>> Permissions: write >>>> Attributes: userpassword, krbprincipalkey, >>>> sambalmpassword, >>>> sambantpassword >>>> >>>> aci: (targetattr = "userpassword || krbprincipalkey || >>>> sambalmpassword >>>> || sambantpassword")(version 3.0; acl "selfservice:Self can >>>> write own >>>> password"; allow (write) userdn="ldap:///self";) >>> >>> ipapermtargetfilter: >>> (&(!(memberOf=cn=iam-managed-users,cn=groups,cn=accounts,dc=ipatest,dc=mydomain,dc=at))(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=ipatest,dc=mydomain,dc=at))) >>> >>> >>> >>> >>> >>> ipapermissiontype: SYSTEM >>> ipapermissiontype: V2 >>> ipapermissiontype: MANAGED >>> aci: (targetattr = "krbpasswordexpiration || >>> krbprincipalkey || >>> passwordhistory || sambalmpassword || sambantpassword || >>> userpassword")(targetfilter = >>> "(&(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=ipatest,dc=mydomain,dc=at))(objectclass=posixaccount))")(version >>> >>> >>> >>> >>> 3.0;acl "permission:System: Change User password";allow (write) >>> groupdn >>> = "ldap:///cn=System: Change User >>> password,cn=permissions,cn=pbac,dc=ipatest,dc=mydomain,dc=at";) >>> >>> Modifying the ipapermtargetfilter (manually in LDAP) did not >>> produce the >>> aci I was expecting. Do I have to modify it by IPA API means (eg. >>> CLI?) >>> or did I modify the wrong attribute? >> >> This is the wrong permission. This handles who can change someone >> else's >> password. To manage who can change their own you have to modify >> 'Self >> can write own password' via the selfservice plugin. > > I see. But when I remove all the password relevant attributes as an > admin users are still able to change their passwords... >
You're saying users that are also admins can change their own passwords? admins are special so there may be additional ACIs involved.
No. My eypectation was that regular users cannot change their passwords anymore after I removed the password attributes from the selfservice permission you named above.
It is very difficult to help you if you don't show your work.
What does the selfservice entry look like?
How are you testing the password change?
Sorry. I try to be more specific. Initially I wanted to forbid password change for a certain user group. But now I just wanted to see it working in general. So... the IPA installation is completely unmodified in this regard.
What did I try? Taking away all password-related attributes I found in the "Self can write own password" permission. I did this with the IPA admin user.
You still haven't shown the selfservice permission.
ipa selfservice-show --raw Self-service name: Self can write own password aci: (targetattr = "krbprincipalkey")(version 3.0;acl "selfservice:Self can write own password";allow (write) userdn = "ldap:///self";)
How did you remove all attributes? It should throw an error about invalid or missing values.
Logged into IPA via the WebGUI as admin. Went to IPA Server->RBAC->Self Service Permissions. Clicked on "Self can write own password". Unchecked "userpassword". Clicked on "save". Logged out and logged back in as a non-admin. Tried password change. Worked. (and my expectation was it should not have worked.)
krbprincipalkey is also the password, as are all the other attributes in the permission. If you delete the permission then the next upgrade will re-create it so I'd suggest removing all attributes from it and adding something a user already has for themselves, like ipasshpubkey.
rob
On 20.02.25 02:38, Rob Crittenden wrote:
Ronald Wimmer wrote:
On 19.02.25 19:37, Rob Crittenden wrote:
Ronald Wimmer via FreeIPA-users wrote:
On 19.02.25 16:40, Rob Crittenden via FreeIPA-users wrote:
Ronald Wimmer via FreeIPA-users wrote:
On 19.02.25 15:54, Rob Crittenden via FreeIPA-users wrote: > Ronald Wimmer wrote: >> On 19.02.25 13:48, Rob Crittenden via FreeIPA-users wrote: >>> Ronald Wimmer wrote: >>>> >>>> >>>> On 13.02.25 17:42, Rob Crittenden wrote: >>>>> Ronald Wimmer wrote: >>>>>> On 12.02.25 19:15, Rob Crittenden wrote: >>>>>>> More specifics would help. How did it not work as expected? >>>>>>> What >>>>>>> is the >>>>>>> full ACI you came up with? >>>>>>> >>>>>>> The idea is that this is granted to all authenticated users >>>>>>> EXCEPT >>>>>>> those >>>>>>> in the, in your case, iam-managed-users and admins groups. >>>>>>> >>>>>> We did not user RBAC much up to now. So it is very likely that I >>>>>> did not >>>>>> fully grasp the whole concept yet. >>>>>> >>>>>> What I did was adding users to a group called >>>>>> cn=iam-managed-users,cn=groups,cn=accounts,dc=linux,dc=mydomain,dc=at >>>>>> >>>>>> >>>>>> >>>>>> and modifying the target filter to >>>>>> (&(!(memberOf=cn=iam-managed-users,cn=groups,cn=accounts,dc=linux,dc=mydomain,dc=at))(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=linux,dc=mydomain,dc=at))). >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> Nothing else. Because I thought the "System: Change User" >>>>>> permission >>>>>> applies to all IPA users by default. This assumption might >>>>>> probably be >>>>>> wrong... >>>>>> >>>>>> >>>>> >>>>> It is controlled by 'Self can write own password' >>>>> >>>>> $ ipa selfservice-show 'Self can write own password' >>>>> Self-service name: Self can write own password >>>>> Permissions: write >>>>> Attributes: userpassword, krbprincipalkey, >>>>> sambalmpassword, >>>>> sambantpassword >>>>> >>>>> aci: (targetattr = "userpassword || krbprincipalkey || >>>>> sambalmpassword >>>>> || sambantpassword")(version 3.0; acl "selfservice:Self can >>>>> write own >>>>> password"; allow (write) userdn="ldap:///self";) >>>> >>>> ipapermtargetfilter: >>>> (&(!(memberOf=cn=iam-managed-users,cn=groups,cn=accounts,dc=ipatest,dc=mydomain,dc=at))(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=ipatest,dc=mydomain,dc=at))) >>>> >>>> >>>> >>>> >>>> >>>> ipapermissiontype: SYSTEM >>>> ipapermissiontype: V2 >>>> ipapermissiontype: MANAGED >>>> aci: (targetattr = "krbpasswordexpiration || >>>> krbprincipalkey || >>>> passwordhistory || sambalmpassword || sambantpassword || >>>> userpassword")(targetfilter = >>>> "(&(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=ipatest,dc=mydomain,dc=at))(objectclass=posixaccount))")(version >>>> >>>> >>>> >>>> >>>> 3.0;acl "permission:System: Change User password";allow (write) >>>> groupdn >>>> = "ldap:///cn=System: Change User >>>> password,cn=permissions,cn=pbac,dc=ipatest,dc=mydomain,dc=at";) >>>> >>>> Modifying the ipapermtargetfilter (manually in LDAP) did not >>>> produce the >>>> aci I was expecting. Do I have to modify it by IPA API means (eg. >>>> CLI?) >>>> or did I modify the wrong attribute? >>> >>> This is the wrong permission. This handles who can change someone >>> else's >>> password. To manage who can change their own you have to modify >>> 'Self >>> can write own password' via the selfservice plugin. >> >> I see. But when I remove all the password relevant attributes as an >> admin users are still able to change their passwords... >> > > You're saying users that are also admins can change their own > passwords? > admins are special so there may be additional ACIs involved.
No. My eypectation was that regular users cannot change their passwords anymore after I removed the password attributes from the selfservice permission you named above.
It is very difficult to help you if you don't show your work.
What does the selfservice entry look like?
How are you testing the password change?
Sorry. I try to be more specific. Initially I wanted to forbid password change for a certain user group. But now I just wanted to see it working in general. So... the IPA installation is completely unmodified in this regard.
What did I try? Taking away all password-related attributes I found in the "Self can write own password" permission. I did this with the IPA admin user.
You still haven't shown the selfservice permission.
ipa selfservice-show --raw Self-service name: Self can write own password aci: (targetattr = "krbprincipalkey")(version 3.0;acl "selfservice:Self can write own password";allow (write) userdn = "ldap:///self";)
How did you remove all attributes? It should throw an error about invalid or missing values.
Logged into IPA via the WebGUI as admin. Went to IPA Server->RBAC->Self Service Permissions. Clicked on "Self can write own password". Unchecked "userpassword". Clicked on "save". Logged out and logged back in as a non-admin. Tried password change. Worked. (and my expectation was it should not have worked.)
krbprincipalkey is also the password, as are all the other attributes in the permission. If you delete the permission then the next upgrade will re-create it so I'd suggest removing all attributes from it and adding something a user already has for themselves, like ipasshpubkey.
Great! It works! (IPA Error 2100: ACIError, Insufficient access: Invalid credentials)
Thank you for your patience! My IPA time is very limited at the moment...
On 20.02.25 10:38, Ronald Wimmer via FreeIPA-users wrote:
On 20.02.25 02:38, Rob Crittenden wrote:
Ronald Wimmer wrote:
On 19.02.25 19:37, Rob Crittenden wrote:
Ronald Wimmer via FreeIPA-users wrote:
On 19.02.25 16:40, Rob Crittenden via FreeIPA-users wrote:
Ronald Wimmer via FreeIPA-users wrote: > On 19.02.25 15:54, Rob Crittenden via FreeIPA-users wrote: >> Ronald Wimmer wrote: >>> On 19.02.25 13:48, Rob Crittenden via FreeIPA-users wrote: >>>> Ronald Wimmer wrote: >>>>> >>>>> >>>>> On 13.02.25 17:42, Rob Crittenden wrote: >>>>>> Ronald Wimmer wrote: >>>>>>> On 12.02.25 19:15, Rob Crittenden wrote: >>>>>>>> More specifics would help. How did it not work as expected? >>>>>>>> What >>>>>>>> is the >>>>>>>> full ACI you came up with? >>>>>>>> >>>>>>>> The idea is that this is granted to all authenticated users >>>>>>>> EXCEPT >>>>>>>> those >>>>>>>> in the, in your case, iam-managed-users and admins groups. >>>>>>>> >>>>>>> We did not user RBAC much up to now. So it is very likely >>>>>>> that I >>>>>>> did not >>>>>>> fully grasp the whole concept yet. >>>>>>> >>>>>>> What I did was adding users to a group called >>>>>>> cn=iam-managed-users,cn=groups,cn=accounts,dc=linux,dc=mydomain,dc=at >>>>>>> >>>>>>> >>>>>>> >>>>>>> and modifying the target filter to >>>>>>> (&(!(memberOf=cn=iam-managed-users,cn=groups,cn=accounts,dc=linux,dc=mydomain,dc=at))(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=linux,dc=mydomain,dc=at))). >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> Nothing else. Because I thought the "System: Change User" >>>>>>> permission >>>>>>> applies to all IPA users by default. This assumption might >>>>>>> probably be >>>>>>> wrong... >>>>>>> >>>>>>> >>>>>> >>>>>> It is controlled by 'Self can write own password' >>>>>> >>>>>> $ ipa selfservice-show 'Self can write own password' >>>>>> Self-service name: Self can write own password >>>>>> Permissions: write >>>>>> Attributes: userpassword, krbprincipalkey, >>>>>> sambalmpassword, >>>>>> sambantpassword >>>>>> >>>>>> aci: (targetattr = "userpassword || krbprincipalkey || >>>>>> sambalmpassword >>>>>> || sambantpassword")(version 3.0; acl "selfservice:Self can >>>>>> write own >>>>>> password"; allow (write) userdn="ldap:///self";) >>>>> >>>>> ipapermtargetfilter: >>>>> (&(!(memberOf=cn=iam-managed-users,cn=groups,cn=accounts,dc=ipatest,dc=mydomain,dc=at))(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=ipatest,dc=mydomain,dc=at))) >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> ipapermissiontype: SYSTEM >>>>> ipapermissiontype: V2 >>>>> ipapermissiontype: MANAGED >>>>> aci: (targetattr = "krbpasswordexpiration || >>>>> krbprincipalkey || >>>>> passwordhistory || sambalmpassword || sambantpassword || >>>>> userpassword")(targetfilter = >>>>> "(&(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=ipatest,dc=mydomain,dc=at))(objectclass=posixaccount))")(version >>>>> >>>>> >>>>> >>>>> >>>>> 3.0;acl "permission:System: Change User password";allow (write) >>>>> groupdn >>>>> = "ldap:///cn=System: Change User >>>>> password,cn=permissions,cn=pbac,dc=ipatest,dc=mydomain,dc=at";) >>>>> >>>>> Modifying the ipapermtargetfilter (manually in LDAP) did not >>>>> produce the >>>>> aci I was expecting. Do I have to modify it by IPA API means >>>>> (eg. >>>>> CLI?) >>>>> or did I modify the wrong attribute? >>>> >>>> This is the wrong permission. This handles who can change someone >>>> else's >>>> password. To manage who can change their own you have to modify >>>> 'Self >>>> can write own password' via the selfservice plugin. >>> >>> I see. But when I remove all the password relevant attributes >>> as an >>> admin users are still able to change their passwords... >>> >> >> You're saying users that are also admins can change their own >> passwords? >> admins are special so there may be additional ACIs involved. > > No. My eypectation was that regular users cannot change their > passwords > anymore after I removed the password attributes from the selfservice > permission you named above.
It is very difficult to help you if you don't show your work.
What does the selfservice entry look like?
How are you testing the password change?
Sorry. I try to be more specific. Initially I wanted to forbid password change for a certain user group. But now I just wanted to see it working in general. So... the IPA installation is completely unmodified in this regard.
What did I try? Taking away all password-related attributes I found in the "Self can write own password" permission. I did this with the IPA admin user.
You still haven't shown the selfservice permission.
ipa selfservice-show --raw Self-service name: Self can write own password aci: (targetattr = "krbprincipalkey")(version 3.0;acl "selfservice:Self can write own password";allow (write) userdn = "ldap:///self";)
How did you remove all attributes? It should throw an error about invalid or missing values.
Logged into IPA via the WebGUI as admin. Went to IPA Server->RBAC->Self Service Permissions. Clicked on "Self can write own password". Unchecked "userpassword". Clicked on "save". Logged out and logged back in as a non-admin. Tried password change. Worked. (and my expectation was it should not have worked.)
krbprincipalkey is also the password, as are all the other attributes in the permission. If you delete the permission then the next upgrade will re-create it so I'd suggest removing all attributes from it and adding something a user already has for themselves, like ipasshpubkey.
Great! It works! (IPA Error 2100: ACIError, Insufficient access: Invalid credentials)
Thank you for your patience! My IPA time is very limited at the moment...
I forgot to post the final ACI here. So I'll do it now:
(targetattr = "ipapasskey || ipasshpubkey || krbprincipalkey || userpassword")(targetfilter = "(!(memberOf=cn=iam-managed-users,cn=groups,cn=accounts,dc=ipatest,dc=mydomain,dc=at))")(version 3.0;acl "selfservice:Self can write own password";allow (write) userdn = "ldap:///self";)
Now users that are member of iam-managed-users cannot change their passwords.
freeipa-users@lists.fedorahosted.org
-
Rob Crittenden -
Ronald Wimmer