Issue #7342: admins group is not including all permissions of Role "User Administrator" - freeipa

freeipa

#7342 admins group is not including all permissions of Role "User Administrator"

Closed: fixed 6 years ago Opened 6 years ago by frenaud.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1519723

Description of problem:

I don't know if this has been on purpose as a feature or if it could be
considered as a bug. Customers are confused about this.

For them, adding a user to the group "cn=admins" is enough to make a user have
the same rights of "admin" user.

But there's at least a Permission missing, that is to be able to do this:

aci: (targetattr = "krblastpwdchange || krbpasswordexpiration || krbprincipalk
 ey || userpassword")(target = "ldap:///uid=*,cn=deleted users,cn=accounts,cn=
 provisioning,dc=cgparente,dc=local")(targetfilter = "(objectclass=posixaccoun
 t)")(version 3.0;acl "permission:System: Reset Preserved User password";allow
  (read,search,write) groupdn = "ldap:///cn=System: Reset Preserved User passw
 ord,cn=permissions,cn=pbac,dc=cgparente,dc=local";)

Example:

user "example" is member of admin groups:

ipa group-show admins
  Group name: admins
  Description: Account administrators group
  GID: 142600000
  Member users: admin, example
  Member of groups: ad_users


kinit example
Password for example@CGPARENTE.LOCAL:

ipa user-del test --preserve
ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the
'krbLastPwdChange' attribute of entry 'uid=test,cn=deleted
users,cn=accounts,cn=provisioning,dc=cgparente,dc=local'

ipa role-add-member "User Administrator" --user=example

kinit example
ipa user-del test --preserve

Works.

Metadata Update from @frenaud:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1519723

6 years ago

Metadata Update from @frenaud:
- Issue assigned to frenaud

6 years ago

Metadata Update from @frenaud:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/1426

6 years ago

Metadata Update from @frenaud:
- Issue priority set to: important
- Issue set to the milestone: FreeIPA 4.6.3

6 years ago

Metadata Update from @rcritten:
- Issue set to the milestone: FreeIPA 4.6.4 (was: FreeIPA 4.6.3)

6 years ago

rcritten commented 6 years ago

FreeIPA 4.6.3 has been released, moving to FreeIPA 4.6.4 milestone

tdudlak commented 6 years ago

master:

d647072 ACI: grant access to admins group instead of admin user

frenaud commented 6 years ago

ipa-4-6:

35f6a1a ACI: grant access to admins group instead of admin user

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

6 years ago

Metadata

Assignee

frenaud

Tags

None

Blocking

None

Depending on

None

Priority

important

Milestone

FreeIPA 4.6.4

None

affects_doc

None

source

None

knownissue

None

type

None

blockedby

None

test_case

None

component

None

blocking

None

on_review

https://github.com/freeipa/freeipa/pull/1426

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

https://bugzilla.redhat.com/show_bug.cgi?id=1519723

tester

None

changelog

None

design

None

freeipa

Source Code

#7342 admins group is not including all permissions of Role "User Administrator" Closed: fixed 6 years ago Opened 6 years ago by frenaud.

Metadata

#7342 admins group is not including all permissions of Role "User Administrator"

Closed: fixed 6 years ago Opened 6 years ago by frenaud.