#3697 The default "Unlock user accounts" permission doesn't include nsaccountlock
Closed: Fixed None Opened 10 years ago by mkosek.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 971384

Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.

Description of problem:
It seems that default "Unlock user accounts" permission doesn't include
nsaccountlock attribute. Thus errors like the following are reported:

ipa user-disable user
ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the
'nsAccountLock' attribute of entry
'uid=user,cn=users,cn=accounts,dc=example,dc=com'.

Version-Release number of selected component (if applicable):
ipa-server-3.0.0-26.el6_4.2

How reproducible:
Everytime


Steps to Reproduce:
1. Create a new privilege with only "Unlock user accounts"
2. Create a new role and assign the privilege that was created in step 1
3. Give the role of step 2 to a user.
4. Using that user's tokens try to disable another user:
# ipa user-disable user2

Actual results:
ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the
'nsAccountLock' attribute of entry
'uid=user2,cn=users,cn=accounts,dc=example,dc=com'.

Expected results:
Disabling the user.

Additional info:

This is a one liner addition. It can be fixed in 3.4 permission/ACI refactoring.

master:

  • e0cafea managed perm updater: Handle case where we changed default ACIs in the past
  • 53a63ae Convert User default permissions to managed
  • 46faed0 Add missing attributes to User managed permissions

Metadata Update from @mkosek:
- Issue assigned to pviktori
- Issue set to the milestone: FreeIPA 4.0 Backlog

7 years ago

Login to comment on this ticket.

Metadata