#5137 ipa-replica-manage: show an ACI error instead of not found error
Opened 3 years ago by mbasti. Modified 2 years ago

I was kinited as a regular user (I forgot about it).
Then I was getting contradictory results about replicas.
Would be better to show an ACI error instead of not found error.

[root@vm-218 ~]# ipa-replica-manage list
vm-235.example.com: master
vm-218.example.com: master
[root@vm-218 ~]# ipa-replica-manage list-ruv
No RUV records found.

[root@vm-218 ~]# kdestroy 
[root@vm-218 ~]# kinit admin
Password for admin@EXAMPLE.COM: 
[root@vm-218 ~]# ipa-replica-manage list-ruv
vm-218.example.com:389: 4
vm-235.example.com:389: 7

I don't believe an ACI error is thrown in this case. The bound user simply doesn't have permission to read the entries so nothing is returned.

Perhaps "get effective rights" can/should be used more liberally so an error is returned on this type of read and not 0 entries.

I agree with Rob.

Stretch in 4.3

Not a blocker for 4.3.

Metadata Update from @mbasti:
- Issue assigned to someone
- Issue set to the milestone: FreeIPA 4.5 backlog

2 years ago

Login to comment on this ticket.