Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 971384
Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.
Description of problem: It seems that default "Unlock user accounts" permission doesn't include nsaccountlock attribute. Thus errors like the following are reported: ipa user-disable user ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'nsAccountLock' attribute of entry 'uid=user,cn=users,cn=accounts,dc=example,dc=com'. Version-Release number of selected component (if applicable): ipa-server-3.0.0-26.el6_4.2 How reproducible: Everytime Steps to Reproduce: 1. Create a new privilege with only "Unlock user accounts" 2. Create a new role and assign the privilege that was created in step 1 3. Give the role of step 2 to a user. 4. Using that user's tokens try to disable another user: # ipa user-disable user2 Actual results: ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'nsAccountLock' attribute of entry 'uid=user2,cn=users,cn=accounts,dc=example,dc=com'. Expected results: Disabling the user. Additional info:
This is a one liner addition. It can be fixed in 3.4 permission/ACI refactoring.
master:
Metadata Update from @mkosek: - Issue assigned to pviktori - Issue set to the milestone: FreeIPA 4.0 Backlog
Login to comment on this ticket.