1041261 – [RFE] Allow automember to override default group

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1041261 - [RFE] Allow automember to override default group

Summary: [RFE] Allow automember to override default group

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	IPA Maintainers
QA Contact:	Namita Soman
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-12-12 14:11 UTC by James Findley
Modified:	2018-12-05 19:48 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-12-05 19:48:16 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description James Findley 2013-12-12 14:11:32 UTC

Description of problem:

I would like to be able to have users matching an automember rule to be just added to the specified group, and not also added to the default ipausers group.

This is so that limited admins can have more tightly confined permissions, that don't include the ability to write to the default group.


Version-Release number of selected component (if applicable):
ipa-server-3.0.0-37.el6.x86_64

Comment 1 Dmitri Pal 2013-12-13 14:20:29 UTC

Should this already be possible in 3.2 with https://fedorahosted.org/freeipa/ticket/3706 ?

Comment 2 Martin Kosek 2013-12-13 15:09:53 UTC

No, this was just a performance improvement so that unnecessary memberships are not loaded when traversing users in Web UI.

I was already thinking about James' request though I did not had an idea how to solve it. We could add a switch to explicitly suppress adding a new user to ipausers group (we do it unconditionally now), but I am not sure if this is what James want.

Maybe instead of adding user to ipausers group via standard LDAP operation done by the admin, we could solve it via system automember rule - AFAIK, when more rules match (the system one + custom user ones), the user should get membership to all groups - i.e. it may work. It would need to be well tested.

Comment 3 Dmitri Pal 2013-12-13 16:52:08 UTC

(In reply to Martin Kosek from comment #2)
> No, this was just a performance improvement so that unnecessary memberships
> are not loaded when traversing users in Web UI.
> 

I see.

> I was already thinking about James' request though I did not had an idea how
> to solve it. We could add a switch to explicitly suppress adding a new user
> to ipausers group (we do it unconditionally now), but I am not sure if this
> is what James want.
> 
> Maybe instead of adding user to ipausers group via standard LDAP operation
> done by the admin, we could solve it via system automember rule - AFAIK,
> when more rules match (the system one + custom user ones), the user should
> get membership to all groups - i.e. it may work. It would need to be well
> tested.

Yes. We discussed this option with Rob at some point.
We talked about making ipauser an automember rule. I remember Rob had some concerns. Check with him.

Comment 4 Rob Crittenden 2013-12-13 16:59:44 UTC

The reason for the ipausers group was so we could reference all users at once via permissions. AFAIK we've never actually written a permission to leverage this. Unsure if any users have.

So my concern was it would get disabled.

If we decide that knowing all IPA users via a group is indeed not something we need to guarantee then I'm fine moving to an automember rule. Or we could make an immutable rule I suppose.

Comment 5 Dmitri Pal 2013-12-13 17:04:28 UTC

I am not sure there is concern about someone removing the rule since there is really no impact. And if they do they can restore it anyway.
Do we have a ticket? I thought we did but could not find it.

Comment 6 Martin Kosek 2014-01-02 11:10:28 UTC

We had a ticket https://fedorahosted.org/freeipa/ticket/1952, it was closed as WONTFIX as during review, we found that the initial approach drafted by Rob 2 years ago [1] was not OK.

However, I am thinking that if we deploy an ipausers automember *rule* and not set it as default group, it should work fine as more than one automember rule can apply to new LDAP entry. I will open an upstream ticket.

[1] http://www.redhat.com/archives/freeipa-devel/2012-January/msg00199.html

Comment 7 Martin Kosek 2014-01-02 11:12:12 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4088

Comment 8 Martin Kosek 2014-01-02 11:18:15 UTC

As that this is a feature request (and not a bug), I am moving this Bugzilla to RHEL-7 product line as this will be the main target of this RFE, unless decided otherwise.

Comment 10 Petr Vobornik 2017-02-23 15:20:10 UTC

The bugzilla doesn't have high enough priority in comparison to other bugs/RFEs for 7.4. Moving to next release. Without sufficient justification it can be moved again later.

Comment 13 Rob Crittenden 2018-12-05 19:48:16 UTC

Thank you taking your time and submitting this request for Red Hat Enterprise Linux. The request was cloned to the upstream tracker a long time ago (see link to the upstream ticket above), but it was unfortunately not given priority either in the upstream project, nor in Red Hat Enterprise Linux.

Given that this request is not planned for a close release, it is highly unlikely it will be fixed in this major version of Red Hat Enterprise Linux. We are therefore closing the request as WONTFIX.

To request that Red Hat reconsiders the decision, please reopen the Bugzilla with the help of Red Hat Customer Service and provide additional business and/or technical details about it's importance to you. Please note that you can still track this request or even offer help in the referred upstream Pagure ticket to expedite the solution.

Note You need to log in before you can comment on or make changes to this bug.