Bug 1338031
Summary: | Insufficient 'write' privilege on some attributes for the members of the role which has "User Administrators" privilege. | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Abhinay Reddy Peddireddy <apeddire> |
Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> |
Status: | CLOSED ERRATA | QA Contact: | Kaleem <ksiddiqu> |
Severity: | medium | Docs Contact: | |
Priority: | unspecified | ||
Version: | 7.2 | CC: | mbasti, pvoborni, rcritten, spoore |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | ipa-4.4.0-0.el7.1.alpha1 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2016-11-04 05:54:16 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Abhinay Reddy Peddireddy
2016-05-20 19:28:44 UTC
Hello, 'employeenumber' is not covered by default by privilege you mentioned above. However it can be added by modifying 'Permission: System: Modify Users' Please open IPA WebUI (as admin), IPA Server/Role Based Access control/Permissions/'Permission: System: Modify Users' and mark 'employee number' in effective attributes section. Same for email, and department number. Please let me know if provided steps work Upstream ticket: https://fedorahosted.org/freeipa/ticket/5911 Check-marking those attributes in the effective users section of the write privilege worked fine as expected. Great, defaults will be fixed in 7.3 Fixed upstream master: https://fedorahosted.org/freeipa/changeset/1ce63e6193701679f539f7c83ddee9f65056b806 Verified. Version :: ipa-server-4.4.0-9.el7.x86_64 Results :: [root@master ~]# ipa user-add testadmin --first=f --last=l ---------------------- Added user "testadmin" ---------------------- User login: testadmin First name: f Last name: l Full name: f l Display name: f l Initials: fl Home directory: /home/testadmin GECOS: f l Login shell: /bin/sh Principal name: testadmin Principal alias: testadmin Email address: testadmin UID: 989000013 GID: 989000013 Password: False Member of groups: ipausers Kerberos keys available: False [root@master ~]# ipa passwd testadmin New Password: Enter New Password again to verify: ----------------------------------------- Changed password for "testadmin" ----------------------------------------- [root@master ~]# kinit testadmin Password for testadmin: Password expired. You must change it now. Enter new password: Enter it again: [root@master ~]# kdestroy -A [root@master ~]# kinit admin Password for admin: [root@master ~]# ipa role-add testrole --------------------- Added role "testrole" --------------------- Role name: testrole [root@master ~]# ipa role-add-privilege --privileges="User Administrators" testrole Role name: testrole Privileges: User Administrators ---------------------------- Number of privileges added 1 ---------------------------- [root@master ~]# ipa role-add-member --users=testadmin testrole Role name: testrole Member users: testadmin Privileges: User Administrators ------------------------- Number of members added 1 ------------------------- [root@master ~]# ipa user-add testuser --first=f --last=l --------------------- Added user "testuser" --------------------- User login: testuser First name: f Last name: l Full name: f l Display name: f l Initials: fl Home directory: /home/testuser GECOS: f l Login shell: /bin/sh Principal name: testuser Principal alias: testuser Email address: testuser UID: 989000014 GID: 989000014 Password: False Member of groups: ipausers Kerberos keys available: False [root@master ~]# kdestroy -A [root@master ~]# kinit testadmin Password for testadmin: [root@master ~]# ipa user-mod testuser --employeenumber=123 ------------------------ Modified user "testuser" ------------------------ User login: testuser First name: f Last name: l Home directory: /home/testuser Login shell: /bin/sh Principal name: testuser Principal alias: testuser Email address: testuser UID: 989000014 GID: 989000014 Employee Number: 123 Account disabled: False Password: False Member of groups: ipausers Kerberos keys available: False [root@master ~]# ipa user-mod testuser --departmentnumber=122 ------------------------ Modified user "testuser" ------------------------ User login: testuser First name: f Last name: l Home directory: /home/testuser Login shell: /bin/sh Principal name: testuser Principal alias: testuser Email address: testuser UID: 989000014 GID: 989000014 Department Number: 122 Account disabled: False Password: False Member of groups: ipausers Kerberos keys available: False [root@master ~]# ipa user-mod testuser --email=testuser ------------------------ Modified user "testuser" ------------------------ User login: testuser First name: f Last name: l Home directory: /home/testuser Login shell: /bin/sh Principal name: testuser Principal alias: testuser Email address: testuser UID: 989000014 GID: 989000014 Account disabled: False Password: False Member of groups: ipausers Kerberos keys available: False [root@master ~]# ipa user-mod testuser --manager=admin ------------------------ Modified user "testuser" ------------------------ User login: testuser First name: f Last name: l Home directory: /home/testuser Login shell: /bin/sh Principal name: testuser Principal alias: testuser Email address: testuser UID: 989000014 GID: 989000014 Manager: admin Account disabled: False Password: False Member of groups: ipausers Kerberos keys available: False Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2404.html |