Bug 784315
| Summary: | doc: ipa permission-add: if no targetattr is specified, the default is no access to any attribute | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Namita Soman <nsoman> |
| Component: | doc-Identity_Management_Guide | Assignee: | Deon Ballard <dlackey> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | ecs-bugs |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 6.2 | CC: | jskeoch, mkosek, nkinder, rmeggins |
| Target Milestone: | rc | Keywords: | Documentation |
| Target Release: | 6.3 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-06-21 23:15:59 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Namita Soman
2012-01-24 14:49:17 UTC
I need to double-check with the 389-ds team on the assumption that specifying no attributes means all attributes. Upstream ticket: https://fedorahosted.org/freeipa/ticket/2304 in an aci, if you do not specify a targetattr clause, the default is no access to any attribute: junk.ldif: dn: dc=example,dc=com changetype: modify replace: aci aci: (target ="ldap:///dc=example,dc=com")(targetattr != "userpassword")(versio n 3.0;acl "Anonymous read-search access";allow (read, search, compare)(userdn = "ldap:///anyone");) aci: (target="ldap:///dc=example,dc=com") (targetattr = "*")(version 3.0; acl "allow all Admin group"; allow(all) groupdn = "ldap:///cn=Directory Administr ators,ou=Groups,dc=example,dc=com";) ldapmodify -f junk.ldif ldapsearch -xLLL -h localhost -p 1200 -b dc=example,dc=com uid=scarter dn: uid=scarter,ou=People,dc=example,dc=com cn: Sam Carter sn: Carter givenName: Sam objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson ou: Accounting ou: People l: Sunnyvale uid: scarter mail: scarter telephoneNumber: +1 408 555 4798 facsimileTelephoneNumber: +1 408 555 9751 roomNumber: 4612 manager: cn=uid=dmiller,ou=People,dc=example,dc=com # every attribute except userpassword but if I change the aci dn: dc=example,dc=com changetype: modify replace: aci aci: (target ="ldap:///dc=example,dc=com")(versio n 3.0;acl "Anonymous read-search access";allow (read, search, compare)(userdn = "ldap:///anyone");) aci: (target="ldap:///dc=example,dc=com") (targetattr = "*")(version 3.0; acl "allow all Admin group"; allow(all) groupdn = "ldap:///cn=Directory Administr ators,ou=Groups,dc=example,dc=com";) ldapmodify -f junk.ldif ldapsearch -xLLL -h localhost -p 1200 -b dc=example,dc=com uid=scarter # nothing is returned so in an aci, if you do not specify a targetattr, no attribute is allowed, and nothing is returned In Doc: 15.4.2.1. Creating New Permissions from the Web UI Step 6 indicates that <snip> All attributes within the matching entries can be modified. <snip> which is misleading. Based on Rich's explanation above, if no attributes are specified, then the default is no access to any attribute. I tried to clarify this in both the GUI and CLI sections: http://documentation-stage.bne.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/defining-roles.html#creating-perms Setting all priority and severity to medium. Closing. |