My question is related to this site : https://support.office.com/en-SG/article/Assigning-admin-roles-eac4d046-1afd-4f1a-85fc-8219c79e1504
I want to know if the password admins can change the password of the others admin.
On the link above, the article say : "Password admin: Resets passwords, manages service requests, and monitors service health. Password admins are limited to resetting passwords for users and other password admins."
But, in the secion "View admin permissions by role", in the same site, I read : "Yes; with limitations. This admin can only reset passwords for non-admins."
Related
Our goal is to manage FreeIPA users passwords from Keycloak, this works when we use the admin user from FreeIPA to bind from Keycloak, e.g. in the Keycloak > User Federation > LDAP > Bind DN: uid=admin,cn=users,cn=accounts,dc=example,dc=com
When using a non privileged user with only the permissions to manage passwords we can synchronize the user but listing the users from keycloak returns an error: 'an unexpected server error has occurred'
If we add the non privileged user to the admin group in LDAP it also works
These are the commands that we used to add the permission to manage passwords:
ipa role-add "Self Password Reset"
ipa role-add-member "Self Password Reset" --users="ldap-passwd-reset"
ipa role-add-privilege "Self Password Reset" --privileges="Modify Users and Reset passwords"
ipa role-add-privilege "Self Password Reset" --privileges="Password Policy Readers"
ipa role-add-privilege "Self Password Reset" --privileges="Kerberos Ticket Policy Readers"
ipa permission-mod "System: Change User password" --includedattrs="krbloginfailedcount"
My question is what are the minimum privileges that a user needs to be able to manage LDAP passwords from Keycloak without being member of the admin groups
When I create another admin user, how can he change password. I disallow 'Administrators' permissions since he can make him self SuperAdmin. Without that he cannot change his profile, like password. Is there a way to have better control on Administrators.
Use password reminder option from a login screen. There's no "user profile" functionality for each administrator separately.
With setting the parameters Identity.Listener.Enable and Notification.Expire.Time in file identity-mgt.properties of WSO2IS the expire time of all users passwords are set. An user will be locked if the password passes this expire time. The user can be unlocked with the admin user of a tenant.
So, also the admin user can be lockef if the password expires. Nor the password of the admin nor the password of other locked users can be unlocked anymore. Or, does the setting Notification.Expire.Time not affect the Admin user at all, and the Admin is never locked on this parameter?
In case the Admin can also be locked, which feature does WSO2IS offer for unlocking the admin user of a tenant?
There is no way to lock admin user or tenant admin users. You can configure above settings mentioned in question, but it doesn't affect the admin users.
On appfuse (http://appfuse.org/display/APF/Demos), an Administrator can add users. When adding a new user, the administrator can set "Password Hint" for the user being added, but not the user's actual password. When the user comes to login, how will the user know his exact password, my question is?
When administrator add some user, they only filled the the password hint.
And the password will be sent to user's email that has been registered.
i want to customize login in Liferay 6.2. I've internal liferay users and ldap users. All users have a record in liferay user_ table. The differences are: internal users must change password at first login and see password reminder question.
Ldap users make only login with their password.
Acutally Liferay ask to ldap users to change their password and set password reminder question. These users change password but at next login, login is possible by old ldap password (correct). Liferay must not write in ldap.
How can i remove password change and password reminder question for ldap user?
There's a password policy that you can set per organization. If you introduce a new organization for each of the groups (or just one might suffice as well) you can have individual password policies per organization.
In Password policies you can configure quite a lot of stuff, e.g. should passwords be changed on first login etc. You can also select the "LDAP Password Policy" in the LDAP configuration screen. I'm rarely working with password policies, thus it's hard to give detailed directions - let me know if this is sufficient or if you need more detailed pointers