Russell Long via FreeIPA-users wrote:
I'm trying to create a set of limited users who have the ability
to
unlock all other user accounts and change their passwords. I've got the
password portion figured out, however when a user with the limited
permissions tries to run the `unlock` operation they get the following
message:
Insufficient access: Insufficient 'write' privilege to
the 'krbLoginFailedCount' attribute of entry...
I have attempted to create a permission granting this access, but it
does not appear to work.
I'll attach an image of the existing permission, not sure how the list
will handle the image.
What isn't clear is whether you added the permission to a privilege and
a role.
This sequence worked for me.
Create a user with limited rights and reset the p/w
# echo password | ipa user-add --first limited --last user limited
--password
# ipa passwd limited
# kinit limited
Add a new permission to unlock users
# kinit admin
# ipa permission-add unlock --type user --right write --right read
{krbloginfailedcount,krblastadminunlock}
# ipa privilege-add unlock
# ipa privilege-add-permission --permission unlock unlock
# ipa role-add unlock
# ipa role-add-privilege --privilege=unlock unlock
# ipa role-add-member --users limited unlock
Create a user which we'll lock and reset the p/w
# echo password | ipa user-add lockme --first tim --last user --password
# kinit lockme
kinit with the wrong password until the account is locked
# ipa user-unlock lockme
Test the now unlocked user
# kinit lockme
Profit!
Note that the rights add and delete are entry-level rights. They don't
apply to individual attributes.
rob