Using service instead of user

[gerardedo]

Currently it's using an ipa user to reset password, instead of an ipa service.

[gerardedo]

Consider:

ipa role-add "Self Password Reset";
ipa role-add-privilege "Self Password Reset" --privileges="Modify Users and Reset passwords";
ipa role-add-privilege "Self Password Reset" --privileges="Password Policy Readers";
ipa service-add 'ldap-passwd-reset/domain.tld';
ipa role-add-member 'Self Password Reset' --services='ldap-passwd-reset/domain.tld';

Or create a permission for Type User with krbprincipalkey, userpassword and krbpasswordexpiration, and assign it to the role

ipa-getkeytab -p 'ldap-passwd-reset/domain.told' -s domain.told -k /opt/IPAPasswordReset/ldap-passwd-reset.keytab;
kinit -t /opt/IPAPasswordReset/ldap-passwd-reset.keytab -k ldap-passwd-reset/domain.told;
klist; ldapwhoami -Y GSSAPI;

Then use in as follows in settings.py:

LDAP_USER = "ldap-passwd-reset/domain.tld
KEYTAB_PATH = "/opt/IPAPasswordReset/ldap-passwd-reset.keytab"

[larrabee]

Thank you for feedback.
What is profit of using service instead of user?

[gerardedo]

Hi,

Well, it's conceptual, from my point of view a user type account is for real users, and services accounts are for machines and services. In this case, "ldap-passwd-reset" is a service.

Anyway, thanks for your nice work!

[fsadoon]

what about password policies ? will it be followed if we have it as a services,
BTW it isn't happening while it is normal user so .. u know