Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
DescriptionSigbjorn Customer
2022-02-18 11:10:42 UTC
Sigbjorn Lie via FreeIPA-users wrote:
On 2022-02-17 13:52, Alexander Bokovoy via FreeIPA-users wrote:
On to, 17 helmi 2022, Sigbjorn Lie-Soland via FreeIPA-users wrote:
Hi list,
We recenlty upgraded our IPA environment from EL7.9 to EL8.5. And now
we are testing out the new Member Manager feature.
Adding a usergroup (example: "role-groupmanager") as a MemberManager
for another group (example: "role-usergroup-A") yields an error message
when the user member of the "role-groupmanager” group (example:
“thorleif”) attempts to add/remove users from the group
"role-usergroup-A”:
"Insufficient access: Insufficient 'write' privilege to the 'member'
attribute of entry"
If I add the user “thorleif” directly as a MemberManager of the group
"role-usergroup-A”, allows him to successfully add and remove users
from the group "role-usergroup-A”.
I presume this is a bug? Is there a known BZ for this or do you need me
to open one?
According to the design document,
-------------------------------------------------------------------
Member managers are stored in a new LDAP attribute ``memberManager``
with OID 2.16.840.1.113730.3.8.23.1. It is multi-valued and contains
DNs of users and groups which can manage members of the group. The
attribute can be added to entries with object class ``ipaUserGroup``
or ``ipaHostGroup``. The attribute is indexed and its membership
controlled by referential integrity postoperation plugin.
New userattr ACIs grant principals with user DN or group DN in
``memberManager`` write permission to the ``member`` attribute of the
group.
The ``memberManager`` attribute is protected by the generic read and
modify permissions for each type of group. It is readable by everybody
with ``System: Read Groups`` / ``System: Read Hostgroups`` permission
and writable by everybody with ``System: Modify Groups`` /
``System: Modify Hostgroups`` permission.
-------------------------------------------------------------------
So there are two parts here: ACI and a proper object class
'ipaUserGroup' for the group to manage (or 'ipaHostGroup' for host
group to manage).
Can you check that 'aci' attribute on cn=groups,cn=accounts,$SUFFIX and
on cn=hostgroups,cn=accounts,$SUFFIX contains the following ACIs:
# Allow member managers to modify members of user groups
dn: cn=groups,cn=accounts,$SUFFIX
aci: (targetattr = "member")(targetfilter =
"(objectclass=ipaUserGroup)")(version 3.0; acl "Allow member managers
to modify members of user groups"; allow (write) userattr =
"memberManager#USERDN" or userattr = "memberManager#GROUPDN";)
# Allow member managers to modify members of a host group
dn: cn=hostgroups,cn=accounts,$SUFFIX
aci: (targetattr = "member")(targetfilter =
"(objectclass=ipaHostGroup)")(version 3.0; acl "Allow member managers
to modify members of host groups"; allow (write) userattr =
"memberManager#USERDN" or userattr = "memberManager#GROUPDN";)
Thank you for the prompt reply!
I see the following ACI on dn: cn=groups,cn=accounts,$SUFFIX
aci: (targetattr = "member")(targetfilter =
"(objectclass=ipaUserGroup)")(version 3.0; acl "Allow member managers to
modify members of user groups"; allow (write) userattr =
"memberManager#USERDN";)
This differs from your example which includes both USERDN and GROUPDN in
the ACI, while our ACI includes only USERDN.
Looking at the ACI for dn: cn=hostgroups,cn=accounts,$SUFFIX results in
the same issue.
aci: (targetattr = "member")(targetfilter =
"(objectclass=ipaHostGroup)")(version 3.0; acl "Allow member managers to
modify members of host groups"; allow (write) userattr =
"memberManager#USERDN";)
Is there an existing BZ for this? As we recently upgraded we have just
about all the recent EL8 patches installed.
I couldn't find one.
The problem is that the ACIs are defined in two places:
install/share/default-aci.ldif
install/updates/20-aci.update
default-aci.ldif has the ACI including GROUPDN but this isn't applied on
upgrades.
20-aci.update has what you are seeing, USERDN only.
This will require two fixes: one to add the GROUPDN when the ACI is
missing and one to repair existing installs.
rob
_______________________________________________
https://www.mail-archive.com/freeipa-users@lists.fedorahosted.org/msg13581.html
Comment 3Sigbjorn Customer
2022-11-02 08:40:00 UTC
Could you please advise why this fix is taking so long to implement?
As far as I can see the issue has been identified, and a fix has also been identified.
In /usr/share/ipa/updates/20-aci.update, the following line:
add:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaUserGroup)")(version 3.0; acl "Allow member managers to modify members of user groups"; allow (write) userattr = "memberManager#USERDN";)
Should be replaced with
add:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaUserGroup)")(version 3.0; acl "Allow member managers to modify members of user groups"; allow (write) userattr = "memberManager#USERDN" or userattr = "memberManager#GROUPDN";)
We have been waiting patiently for months now, but we are really in need of having this bug fixed.
Any help would be greatly appreciated.
Any change takes time and resources and must be considered against all other bugs for priority.
Note that adding the new ACI is not a sufficient fix. The old ACI should also be removed.
Comment 5Alexander Bokovoy
2022-11-25 11:08:08 UTC
Marking the bug verified manually using
ipa-server-4.9.11-3.module+el8.8.0+17608+39b88723.x86_64.
Post upgrade to RHEL8.8
[root@master yum.repos.d]# cat /usr/share/ipa/updates/20-aci.update | grep 'Allow member managers'
# Allow member managers to modify members of user groups
remove:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaUserGroup)")(version 3.0; acl "Allow member managers to modify members of user groups"; allow (write) userattr = "memberManager#USERDN";)
add:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaUserGroup)")(version 3.0; acl "Allow member managers to modify members of user groups"; allow (write) userattr = "memberManager#USERDN" or userattr = "memberManager#GROUPDN";)
# Allow member managers to modify members of host groups
remove:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaHostGroup)")(version 3.0; acl "Allow member managers to modify members of host groups"; allow (write) userattr = "memberManager#USERDN";)
add:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaHostGroup)")(version 3.0; acl "Allow member managers to modify members of host groups"; allow (write) userattr = "memberManager#USERDN" or userattr = "memberManager#GROUPDN";)
Comment 17Florence Blanc-Renaud
2023-03-15 08:48:17 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (idm:client and idm:DL1 bug fix and enhancement update), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHBA-2023:2794