Permission in user.py contains hardcoded values of cn=ipausers group
'System: Add User to default group': { 'non_object': True, 'ipapermright': {'write'}, 'ipapermlocation': DN(api.env.container_group, api.env.basedn), 'ipapermtarget': DN('cn=ipausers', api.env.container_group, api.env.basedn), 'ipapermdefaultattr': {'member'}, 'replaces': [ '(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,$SUFFIX";)', ], 'default_privileges': {'User Administrators'}, },
However IPA allows to change default group
ipa config-mod --defaultgroup=STR
If default groups is changed, permission 'System: Add User to default group' will not work
Metadata Update from @mbasti: - Issue assigned to someone - Issue set to the milestone: FreeIPA 4.5 backlog
Login to comment on this ticket.