Our goal is to manage FreeIPA users passwords from Keycloak, this works when we use the admin user from FreeIPA to bind from Keycloak, e.g. in the Keycloak > User Federation > LDAP > Bind DN: uid=admin,cn=users,cn=accounts,dc=example,dc=com
When using a non privileged user with only the permissions to manage passwords we can synchronize the user but listing the users from keycloak returns an error: 'an unexpected server error has occurred'
If we add the non privileged user to the admin group in LDAP it also works
These are the commands that we used to add the permission to manage passwords:
ipa role-add "Self Password Reset"
ipa role-add-member "Self Password Reset" --users="ldap-passwd-reset"
ipa role-add-privilege "Self Password Reset" --privileges="Modify Users and Reset passwords"
ipa role-add-privilege "Self Password Reset" --privileges="Password Policy Readers"
ipa role-add-privilege "Self Password Reset" --privileges="Kerberos Ticket Policy Readers"
ipa permission-mod "System: Change User password" --includedattrs="krbloginfailedcount"
My question is what are the minimum privileges that a user needs to be able to manage LDAP passwords from Keycloak without being member of the admin groups
Related
I have installed openstack on my VM. I changed my admin password but I do not know it(I have generated via keepass, but forget to save it :( )
Now I want to change it.
stack#smaug:~/devstack$ openstack user password set --password somepassword admin
Could not recognize Fernet token (HTTP 404) (Request-ID: req-8ba5e9a3-f8df-4ef1-91ab-24e6da33ff8f)
Could you help me How to use Fernet token and How Can I change admin password?
Solved, Update:
source /opt/stack/devstack/openrc admin admin
openstack user set --password-prompt admin
Now I am able to login \o/
With setting the parameters Identity.Listener.Enable and Notification.Expire.Time in file identity-mgt.properties of WSO2IS the expire time of all users passwords are set. An user will be locked if the password passes this expire time. The user can be unlocked with the admin user of a tenant.
So, also the admin user can be lockef if the password expires. Nor the password of the admin nor the password of other locked users can be unlocked anymore. Or, does the setting Notification.Expire.Time not affect the Admin user at all, and the Admin is never locked on this parameter?
In case the Admin can also be locked, which feature does WSO2IS offer for unlocking the admin user of a tenant?
There is no way to lock admin user or tenant admin users. You can configure above settings mentioned in question, but it doesn't affect the admin users.
My question is related to this site : https://support.office.com/en-SG/article/Assigning-admin-roles-eac4d046-1afd-4f1a-85fc-8219c79e1504
I want to know if the password admins can change the password of the others admin.
On the link above, the article say : "Password admin: Resets passwords, manages service requests, and monitors service health. Password admins are limited to resetting passwords for users and other password admins."
But, in the secion "View admin permissions by role", in the same site, I read : "Yes; with limitations. This admin can only reset passwords for non-admins."
i want to customize login in Liferay 6.2. I've internal liferay users and ldap users. All users have a record in liferay user_ table. The differences are: internal users must change password at first login and see password reminder question.
Ldap users make only login with their password.
Acutally Liferay ask to ldap users to change their password and set password reminder question. These users change password but at next login, login is possible by old ldap password (correct). Liferay must not write in ldap.
How can i remove password change and password reminder question for ldap user?
There's a password policy that you can set per organization. If you introduce a new organization for each of the groups (or just one might suffice as well) you can have individual password policies per organization.
In Password policies you can configure quite a lot of stuff, e.g. should passwords be changed on first login etc. You can also select the "LDAP Password Policy" in the LDAP configuration screen. I'm rarely working with password policies, thus it's hard to give detailed directions - let me know if this is sufficient or if you need more detailed pointers
I am able to authenticate radius users using radius server+pam+ssh with creating local user with blank password in linux.
Is it possible to authenticate radius users without creating users in local machine with blank password?
/etc/pam.d/ssh file as below
#%PAM-1.0
auth sufficient pam_radius_auth.so debug
auth sufficient pam_unix.so use_first_pass
auth required pam_auth_status.so
account sufficient pam_unix.so
account required pam_auth_status.so
session required pam_unix.so
You can authenticate the user without creating an entry for him in /etc/passwd and /etc/shadow files. But now , the user is not associated with any shell in '/etc/passwd' , so it can be of no use.
Do you want to launch a shell after authentication or you want the user just to be authenticated?
I found two nss libraries that could help in this case:
libnss-mapuser from Cumulus Linux.
libnss-ato
The general process is that these will map unknown (but authenticated) user to a single user template. Each user will get his/her own /home folder though but both libs have in common that the user id will be the same.
These packages are mainly targeted at network devices where there is no ldap setup done. Cumulus describes the setup nicely.
I recommend reading https://serverfault.com/questions/538383/understand-pam-and-nss to understand what is happening there.