Bug 817909
Summary: | error indicates a different reason when ipa permission-mod fails to modify attrs | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Namita Soman <nsoman> |
Component: | ipa | Assignee: | Martin Kosek <mkosek> |
Status: | CLOSED ERRATA | QA Contact: | Namita Soman <nsoman> |
Severity: | unspecified | Docs Contact: | |
Priority: | medium | ||
Version: | 7.0 | CC: | mkosek |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | ipa-4.0.3-1.el7 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-03-05 10:08:23 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 976382, 1153292 | ||
Bug Blocks: |
Description
Namita Soman
2012-05-01 18:40:34 UTC
Does this happen on all permissions or only this specific permission? Possibly related Permission when using Filter. # ipa permission-show "Add krbPrincipalName to a host" Permission name: Add krbPrincipalName to a host Permissions: write Attributes: krbprincipalname Type: host Filter: (!(krbprincipalname=*)) Granted to Privilege: Host Administrators, Host Enrollment # ipa permission-mod "Add krbPrincipalName to a host" --attrs=krbprincipalkey ipa: ERROR: invalid 'target': type, filter, subtree and targetgroup are mutually exclusive But works for other permissions as below: # ipa permission-show "Modify Group Password Policy" Permission name: Modify Group Password Policy Permissions: write Attributes: krbmaxpwdlife, krbminpwdlife, krbpwdhistorylength, krbpwdmindiffchars, krbpwdminlength, krbpwdmaxfailure, krbpwdfailurecountinterval, krbpwdlockoutduration Subtree: ldap:///cn=*,cn=TESTRELM.COM,cn=kerberos,dc=testrelm,dc=com Granted to Privilege: Password Policy Administrator # ipa permission-mod "Modify Group Password Policy" --attrs=krbmaxpwdlife,krbminpwdlife,krbpwdhistorylength,krbpwdmaxfailure,krbpwdfailurecountinterval -------------------------------------------------- Modified permission "Modify Group Password Policy" -------------------------------------------------- Permission name: Modify Group Password Policy Permissions: write Attributes: krbmaxpwdlife, krbminpwdlife, krbpwdhistorylength, krbpwdmaxfailure, krbpwdfailurecountinterval Subtree: ldap:///cn=*,cn=TESTRELM.COM,cn=kerberos,dc=testrelm,dc=com Granted to Privilege: Password Policy Administrator # ipa permission-show "Enroll a host" Permission name: Enroll a host Permissions: write Attributes: objectclass Type: host Granted to Privilege: Host Administrators, Host Enrollment # ipa permission-mod "Enroll a host" --attrs=description ----------------------------------- Modified permission "Enroll a host" ----------------------------------- Permission name: Enroll a host Permissions: write Attributes: description Type: host Granted to Privilege: Host Administrators, Host Enrollment Thanks Namita. Rob, I think that the mutually exclusive target type list should only include type, subtree and targetgroup. User may want to apply the permission only for a subset of these targets, i.e. he needs to combine it with a filter. A good example is the permission "Add krbPrincipalName to a host" that Namita posted. I will open an upstream ticket for that. Upstream ticket: https://fedorahosted.org/freeipa/ticket/2718 Fixed upstream in scope of https://fedorahosted.org/freeipa/ticket/3566: # ipa permission-show "Change a user password" Permission name: Change a user password Permissions: write Effective attributes: krbprincipalkey, passwordhistory, sambalmpassword, sambantpassword, userpassword Bind rule type: permission Subtree: dc=example,dc=com ACI target filter: (!(memberOf=cn=admins,cn=groups,cn=accounts,dc=example,dc=com)) ACI target DN: uid=*,cn=users,cn=accounts,dc=example,dc=com Granted to Privilege: Modify Users and Reset passwords, User Administrators # ipa permission-mod "Change a user password" --attrs={userpassword,krbprincipalkey,sambalmpassword,passwordhistory} -------------------------------------------- Modified permission "Change a user password" -------------------------------------------- Permission name: Change a user password Permissions: write Effective attributes: krbprincipalkey, passwordhistory, sambalmpassword, userpassword Bind rule type: permission Subtree: dc=example,dc=com ACI target filter: (!(memberOf=cn=admins,cn=groups,cn=accounts,dc=example,dc=com)) ACI target DN: uid=*,cn=users,cn=accounts,dc=example,dc=com Granted to Privilege: Modify Users and Reset passwords, User Administrators Verified using ipa-server-4.1.0-15.el7.x86_64 # ipa permission-mod "System: Change user password" --attrs={userpassword,krbprincipalkey,sambalmpassword,passwordhistory} -------------------------------------------------- Modified permission "System: Change user password" -------------------------------------------------- Permission name: System: Change User password Granted rights: write Effective attributes: krbprincipalkey, passwordhistory, sambalmpassword, userpassword Excluded attributes: sambantpassword Default attributes: userpassword, krbprincipalkey, sambantpassword, passwordhistory, sambalmpassword Bind rule type: permission Subtree: cn=users,cn=accounts,dc=testrelm,dc=test Extra target filter: (!(memberOf=cn=admins,cn=groups,cn=accounts,dc=testrelm,dc=test)) Type: user Granted to Privilege: User Administrators, Modify Users and Reset passwords Indirect Member of roles: User Administrator, helpdesk Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-0442.html |