New installation includes ACIs that allow both memberManager#USERDN and memberManager#GROUPDN access:
memberManager#USERDN
memberManager#GROUPDN
# Allow member managers to modify members of user groups dn: cn=groups,cn=accounts,$SUFFIX aci: (targetattr = "member")(targetfilter = "(objectclass=ipaUserGroup)")(version 3.0; acl "Allow member managers to modify members of user groups"; allow (write) userattr = "memberManager#USERDN" or userattr = "memberManager#GROUPDN";) # Allow member managers to modify members of a host group dn: cn=hostgroups,cn=accounts,$SUFFIX aci: (targetattr = "member")(targetfilter = "(objectclass=ipaHostGroup)")(version 3.0; acl "Allow member managers to modify members of host groups"; allow (write) userattr = "memberManager#USERDN" or userattr = "memberManager#GROUPDN";)
However, upgrades don't get the GROUPDN part and thus do not allow group-based member managers.
GROUPDN
This was reported as https://bugzilla.redhat.com/show_bug.cgi?id=2056009
Metadata Update from @abbra: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=2056009
PR: https://github.com/freeipa/freeipa/pull/6565
Metadata Update from @abbra: - Issue assigned to abbra
master:
Metadata Update from @frenaud: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=2056009, https://bugzilla.redhat.com/show_bug.cgi?id=2148887 (was: https://bugzilla.redhat.com/show_bug.cgi?id=2056009)
ipa-4-10:
ipa-4-9:
Metadata Update from @frenaud: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.