Issue #4409: Admin cannot unlock user - freeipa

freeipa

#4409 Admin cannot unlock user

Closed: Fixed None Opened 9 years ago by edewata.

By default the admin cannot unlock a user.

Steps to reproduce:
1. Login as admin.
2. Add a new user.
3. Unlock the user.

Actual result:

Insufficient access: Insufficient 'write' privilege to the 'krbLoginFailedCount' attribute of entry 'uid=testuser,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com'.

Expected result:
The operation should succeed.

Workaround:

ipa role-add-member --groups=admins 'User Administrator'

mkosek commented 9 years ago

Good catch, this needs to be fixed before 4.0 GA:

$ kinit admin
[root@ipa ~]# echo foo | kinit fbar
Password for fbar@MKOSEK-FEDORA20.TEST: 
kinit: Password incorrect while getting initial credentials
[root@ipa ~]# echo foo | kinit fbar
Password for fbar@MKOSEK-FEDORA20.TEST: 
kinit: Password incorrect while getting initial credentials
[root@ipa ~]# echo foo | kinit fbar
Password for fbar@MKOSEK-FEDORA20.TEST: 
kinit: Password incorrect while getting initial credentials
[root@ipa ~]# echo foo | kinit fbar
Password for fbar@MKOSEK-FEDORA20.TEST: 
kinit: Password incorrect while getting initial credentials
[root@ipa ~]# echo foo | kinit fbar
Password for fbar@MKOSEK-FEDORA20.TEST: 
kinit: Password incorrect while getting initial credentials
[root@ipa ~]# echo foo | kinit fbar
Password for fbar@MKOSEK-FEDORA20.TEST: 
kinit: Password incorrect while getting initial credentials
[root@ipa ~]# echo foo | kinit fbar
kinit: Clients credentials have been revoked while getting initial credentials

[root@ipa ~]# ipa user-unlock fbar
ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'krbLoginFailedCount' attribute of entry 'uid=fbar,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test'.

IMO, we should just remove all attributes in Unlock permission from admin's exception list:

 Permission name: System: Unlock User
  Granted rights: write
  Effective attributes: krblastadminunlock, krbloginfailedcount, nsaccountlock
  Default attributes: krbloginfailedcount, krblastadminunlock, nsaccountlock
  Bind rule type: permission
  Subtree: cn=users,cn=accounts,dc=mkosek-fedora20,dc=test
  Type: user
  Granted to Privilege: User Administrators
  Indirect Member of roles: User Administrator

mkosek commented 9 years ago

master:

d1ede20 Allow admins to write krbLoginFailedCount

Metadata Update from @edewata:
- Issue assigned to pviktori
- Issue set to the milestone: FreeIPA 4.0 GA

7 years ago

Metadata

Assignee

pviktori

Tags

None

Blocking

None

Depending on

None

Priority

normal

Milestone

FreeIPA 4.0 GA

None

affects_doc

None

source

None

knownissue

None

type

defect

blockedby

None

test_case

None

component

IPA

blocking

None

on_review

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

tester

None

changelog

None

design

None

freeipa

Source Code

#4409 Admin cannot unlock user Closed: Fixed None Opened 9 years ago by edewata.

Metadata

#4409 Admin cannot unlock user

Closed: Fixed None Opened 9 years ago by edewata.