hi everyone, I installed the univention-admingrp-user-passwordreset component to allow the helpdesk to be able to reset the passwords but when they try the console display:
obviously the user belongs to the group “User Password Admins group”.
console log /var/log/univention/management-console-module-udm.log
10.04.21 08:57:19.399 MODULE ( WARN ) : Failed to modify LDAP object uid=sntest,cn=users,dc=my,dc=domain,dc=xy: permissionDenied:
10.04.21 08:58:53.813 ADMIN ( ERROR ) :
== [$6xxxxxxxxxxxxxxxxxxxxd0]
== [$6$rxxxxxxxxxxxxxQkJ1l8.]
10.04.21 08:58:53.838 MODULE ( WARN ) : Failed to modify LDAP object uid=sntest,cn=users,dc=my,dc=domain,dc=xy: permissionDenied:
/etc/ldap/slapd.conf:
# helpdesk access: grant access to specified groups for password reset
access to dn.sub="dc=my,dc=domain,dc=xy" filter="(&(|(&(objectClass=posixAccount)(objectClass=shadowAccount))(objectClass=univentionMail)(objectClass=sambaSamAccount)(objectClass=simpleSecurityObject)(&(objectClass=person)(objectClass=organizationalPerson)(objectClass=inetOrgPerson)))(!(uidNumber=0))(!(|(uid=user0)(uid=Administrator)(uid=user1)(uid=user2)(uid=*$))))" attrs="krb5Key,userPassword,sambaPwdCanChange,sambaPwdMustChange,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,pwhistory,sambaPasswordHistory,krb5KDCFlags,krb5KeyVersionNumber,krb5PasswordEnd,shadowMax,shadowLastChange"
by set="user & [cn=User Password Admins,cn=groups,dc=my,dc=domain,dc=xy]/uniqueMember*" write
by * break