Bug 958133

Summary: Unable to add filter to permission
Product: Red Hat Enterprise Linux 6 Reporter: Lukas Bezdicka <social>
Component: ipaAssignee: Rob Crittenden <rcritten>
Status: CLOSED DUPLICATE QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.6CC: mkosek
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-05-02 09:54:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Lukas Bezdicka 2013-04-30 13:09:33 UTC 
Description of problem:
Default set of permission comes with filter for admins. I can't create simillar group as that one from UI or api.

Version-Release number of selected component (if applicable):
ipa-server-3.0.0-25.el6.x86_64

How reproducible:
always

Steps to Reproduce:
1. Open IPA Server > RBAC > Permissions > Modify Group membership
2. try to change back away from permission
3. you are asked to save changes
  
Actual results:
Modify Group membership has ACI: 
  aci: (targetattr = "member")(targetfilter = "(!(cn=admins))")(target = "ldap:///cn=*,cn=groups,cn=accounts

If I try to reproduce such setup creating different permission I get:
ipa: ERROR: invalid 'target': type, filter, subtree and targetgroup are mutually exclusive
I can only do ACI:
aci: (targetattr = "member")(target = "ldap:///cn=deli,cn=groups,cn=accounts

Expected results:
* Ability to create permissions with filters on admins and so on such as the default permission "Modify Group membership".
* No UI/api issues with default permissions, they should be valid

Additional info:
Comment 1 Lukas Bezdicka 2013-04-30 13:25:04 UTC 
better usecase/reproducer:
[root@kokotina03:~] ipa permission-find Change
--------------------
1 permission matched
--------------------
  Permission name: Change a user password
  Permissions: write
  Attributes: userpassword, krbprincipalkey, sambalmpassword, sambantpassword, passwordhistory
  Type: user
  Filter: (!(memberOf=cn=admins,cn=groups,cn=accounts,dc=kokot,dc=com))
  Granted to Privilege: User Administrators, Modify Users and Reset passwords
----------------------------
Number of entries returned 1

[root@kokotina03:~] ipa permission-add gdc-change-user-password  --permissions="write" --attrs="userpassword, krbprincipalkey, sambalmpassword, sambantpassword, passwordhistory" --type='user' --filter='(!(|(memberOf=cn=admins,cn=groups,cn=accounts,dc=kokot,dc=com)(memberOf=cn=ops,cn=groups,cn=accounts,dc=kokot,dc=com)))'
ipa: ERROR: invalid 'target': type, filter, subtree and targetgroup are mutually exclusive
Comment 2 Rob Crittenden 2013-04-30 14:29:37 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/3597
Comment 3 Martin Kosek 2013-05-02 09:47:54 UTC 
Closing upstream ticket 3597. It is a duplicate to:
https://fedorahosted.org/freeipa/ticket/3028
Comment 4 Martin Kosek 2013-05-02 09:54:10 UTC 
I just noticed that this upstream ticket has its own Bugzilla - closing this one as duplicate.

*** This bug has been marked as a duplicate of bug 854335 ***