How to grant permissions to a normal IPA user to change user-auth-type of other IPA users without giving it write privilege to any objectclasses except ipauserauthtypeclass

Solution Verified - Updated -

Issue

  1. I want to grant a normal IPA user ipauser permission to change other IPA user targetuser auth type:
# kinit ipauser
# ipa user-mod --user-auth-type='password' targetuser
ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'objectClass' attribute of entry 'uid=targetuser,cn=users,cn=accounts,dc=example,dc=com.
  1. I figured out that now the command also needs to add ipauserauthtypeclass objectclass when per user auth type is edited for the first time. However I do not want the permission to give ipauser ability to write any objectclass. I only want ipauser can add objectclass=ipauserauthtypeclass to targetuser.

Environment

  • Red Hat Enterprise Linux 8.10

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content