Hi Rob,
I’m not at work anymore.
How do you find out which credentials you need to modify users in ipa?
Do you need to be root?
When using the FreeIPA GUI, I’ve no problem creating and modifying users, adding them to
groups, etc.
However, in the GUI, the password-expiration field is readonly, which is why I have
attempted modifying its value on the CLI.
Le 7 févr. 2023 à 18:53, Rob Crittenden <rcritten(a)redhat.com> a
écrit :
What user principal are you using? Do you have permissions to modify
this other user's information? The error message says you don't.
rob
phiroc(a)free.fr wrote:
>
> Hi Rob,
>
> thanks for your feedback.
>
> Unfortunately,
>
> ipa user-mod user1 --setattr givenname=phili
> ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the
'givenName' attribute of entry 'uid=...'.
>
>
>>> In general we strongly encourage you to upgrade to a supported release
>
> I wish I could. I'll report it to my manager.
>
>
>
>
> ----- Mail original -----
> De: "Rob Crittenden" <rcritten(a)redhat.com>
> À: "FreeIPA users list" <freeipa-users(a)lists.fedorahosted.org>
> Cc: phiroc(a)free.fr
> Envoyé: Mardi 7 Février 2023 17:51:20
> Objet: Re: [Freeipa-users] Re: password-expiration
>
> When using --setattr you have to use the LDAP attribute name. So in this
> case givenname.
>
> 4.5.4 is getting along to 6 years old now. In general we strongly
> encourage you to upgrade to a supported release, one release at a time
> (there is no going from 4.5 to 4.10 directly).
>
> rob
>
> None via FreeIPA-users wrote:
>>
>>
>> Hi Florence,
>>
>> I've tried the --setattr option with 'first',
>>
>>
>> ipa user-mod user1 --setattr first=phil
>>
>> ... but to no avail
>>
>> ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the
'first' attribute of
>> entry 'uid=...'.
>>
>>
>>
>> ----- Mail original -----
>> De: "Florence Blanc-Renaud via FreeIPA-users"
<freeipa-users(a)lists.fedorahosted.org>
>> À: phiroc(a)free.fr
>> Cc: freeipa-users(a)lists.fedorahosted.org, "Florence Blanc-Renaud"
<flo(a)redhat.com>
>> Envoyé: Mardi 7 Février 2023 17:37:19
>> Objet: [Freeipa-users] Re: password-expiration
>>
>>
>>
>>
>>
>> Hi,
>>
>>
>>
>> On Tue, Feb 7, 2023 at 5:23 PM < phiroc(a)free.fr > wrote:
>>
>>
>> Hi Florence,
>> alas, same issue
>>
>> ipa: error: no such option: --password-expiration
>>
>>
>>
>> Ok, the functionality was added in 4.6.0 (see Release notes ) so you need to use
directly ipa user-mod LOGIN --setattr krbpasswordexpiration =VALUE
>> flo
>>
>>
>>
>>
>>
>>
>> ----- Mail original -----
>> De: "Florence Blanc-Renaud" < flo(a)redhat.com >
>> À: phiroc(a)free.fr
>> Cc: freeipa-users(a)lists.fedorahosted.org
>> Envoyé: Mardi 7 Février 2023 17:12:32
>> Objet: Re: [Freeipa-users] password-expiration
>>
>>
>>
>>
>> Hi,
>>
>>
>>
>> On Tue, Feb 7, 2023 at 4:49 PM < phiroc(a)free.fr > wrote:
>>
>>
>> Hi Florence,
>> unfortunately,
>>
>> ipa user-mod user1 --krbpasswordexpiration='2024-06-28 07:49:37Z'
>> Usage: ipa [global-options] user-mod LOGIN [options]
>>
>> ipa: error: no such option: --krbpasswordexpiration
>>
>>
>> My bad, I copied the attribute name instead of the CLI option name. Can you try
with
>> ipa user-mod LOGIN --password-expiration =DATETIME
>>
>>
>> Note: if you type ipa user-mod --help you can see all the available options.
>> flo
>>
>>
>