RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1338031 - Insufficient 'write' privilege on some attributes for the members of the role which has "User Administrators" privilege.
Summary: Insufficient 'write' privilege on some attributes for the members of the role...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.2
Hardware: Unspecified
OS: Linux
unspecified
medium
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Kaleem
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-05-20 19:28 UTC by Abhinay Reddy Peddireddy
Modified: 2019-10-10 12:08 UTC (History)
4 users (show)

Fixed In Version: ipa-4.4.0-0.el7.1.alpha1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-11-04 05:54:16 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2404 0 normal SHIPPED_LIVE ipa bug fix and enhancement update 2016-11-03 13:56:18 UTC

Description Abhinay Reddy Peddireddy 2016-05-20 19:28:44 UTC
Description of problem:

Not able to edit the employeenumber,email,departnumber attributes as a user which is added to the role having the "User Administrators" privilege. 

Getting the error like below : 

ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'employeeNumber' attribute of entry 'uid=ipauser,cn=users,cn=accounts,dc=redhat,dc=com'.


Steps to Reproduce :

1. Create an user in IPA with the kerberos principal of admin.   
  
  # kinit admin 

  # ipa user-add abhinayreddy --password 

2. Create a new role in IPA.  

   # ipa role-add usermodifier
  
3. Add "User Administrators" privilege to the new role created. 
   
   # ipa role-add-privilege --privileges="User Administrators" usermodifier

4. Add new user created as a member of the role. 

   # ipa role-add-member --users=abhinayreddy usermodifier

5. Get the kerberos principal for the user "abhinayreddy". 

   # kinit abhinayreddy 

6. Try to modify the employeenumber or email or departnumber of the user "ipauser" 

   # ipa user-mod --employeenumber=123 ipauser

   # ipa user-mod --departnumbernumber=12345 ipauser

   # ipa user-mod --email=rd ipauser


Actual results:

Getting below error - 

ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'employeeNumber' attribute of entry 'uid=ipauser,cn=users,cn=accounts,dc=redhat,dc=com'.

ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'departmentNumber' attribute of entry 'uid=ipauser,cn=users,cn=accounts,dc=redhat,dc=com'.

ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'mail' attribute of entry 'uid=ipauser,cn=users,cn=accounts,dc=redhat,dc=com'.



Expected results:

User "abhinayreddy" should be able to modify the employeenumber,email and departnumber attributes of the user "ipauser". 


# ipa user-mod --employeenumber=123 ipauser 
----------------------------
Modified user "ipauser"
----------------------------
  User login: ipauser
  First name: ipa
  Last name: user
  Home directory: /home/ipauser
  Login shell: /bin/sh
  Email address: ipauser.redhat.com
  UID: 659600018
  GID: 659600018
  Account disabled: False
  Employee Number: 123
  Password: True
  Member of groups: ipausers
  Roles: usermodifier
  Kerberos keys available: True


# ipa user-mod --departnumber=122 ipauser 
----------------------------
Modified user "ipauser"
----------------------------
  User login: ipauser
  First name: ipa
  Last name: user
  Home directory: /home/ipauser
  Login shell: /bin/sh
  Email address: ipauser.redhat.com
  UID: 659600018
  GID: 659600018
  Account disabled: False
  Department Number: 122
  Password: True
  Member of groups: ipausers
  Roles: usermodifier
  Kerberos keys available: True


# ipa user-mod --email=ipauser ipauser 
----------------------------
Modified user "ipauser"
----------------------------
  User login: ipauser
  First name: ipa
  Last name: user
  Home directory: /home/ipauser
  Login shell: /bin/sh
  Email address: ipauser.redhat.com
  UID: 659600018
  GID: 659600018
  Account disabled: False
  Password: True
  Member of groups: ipausers
  Roles: usermodifier
  Kerberos keys available: True


Additional info:

May be this is helpful : 

I can see that there are no write permission defined for these attributes in permissions of Modify Users. 


# System: Modify Users, permissions, pbac, gsslab.pnq.redhat.com
dn: cn=System: Modify Users,cn=permissions,cn=pbac,dc=gsslab,dc=pnq,dc=redhat,
 dc=com
ipaPermTargetFilter: (objectclass=posixaccount)
ipaPermRight: write
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Modify Users
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=User Administrators,cn=privileges,cn=pbac,dc=gsslab,dc=pnq,dc=redha
 t,dc=com
member: cn=Modify Users and Reset passwords,cn=privileges,cn=pbac,dc=gsslab,dc
 =pnq,dc=redhat,dc=com
ipaPermDefaultAttr: telephonenumber
ipaPermDefaultAttr: cn
ipaPermDefaultAttr: labeleduri
ipaPermDefaultAttr: manager
ipaPermDefaultAttr: street
ipaPermDefaultAttr: displayname
ipaPermDefaultAttr: homephone
ipaPermDefaultAttr: title
ipaPermDefaultAttr: facsimiletelephonenumber
ipaPermDefaultAttr: loginshell
ipaPermDefaultAttr: employeetype
ipaPermDefaultAttr: description
ipaPermDefaultAttr: businesscategory
ipaPermDefaultAttr: preferredlanguage
ipaPermDefaultAttr: roomnumber
ipaPermDefaultAttr: mepmanagedentry
ipaPermDefaultAttr: carlicense
ipaPermDefaultAttr: postalcode
ipaPermDefaultAttr: givenname
ipaPermDefaultAttr: pager
ipaPermDefaultAttr: seealso
ipaPermDefaultAttr: objectclass
ipaPermDefaultAttr: inetuserhttpurl
ipaPermDefaultAttr: l
ipaPermDefaultAttr: st
ipaPermDefaultAttr: mobile
ipaPermDefaultAttr: gecos
ipaPermDefaultAttr: sn
ipaPermDefaultAttr: ou
ipaPermDefaultAttr: secretary
ipaPermDefaultAttr: userclass
ipaPermDefaultAttr: initials
ipaPermLocation: cn=users,cn=accounts,dc=redhat,dc=com

Comment 2 Martin Bašti 2016-05-23 07:48:28 UTC
Hello,

'employeenumber' is not covered by default by privilege you mentioned above.

However it can be added by modifying 'Permission: System: Modify Users'

Please open IPA WebUI (as admin), IPA Server/Role Based Access control/Permissions/'Permission: System: Modify Users'  and mark 'employee number' in effective attributes section.

Same for email, and department number.


Please let me know if provided steps work

Comment 3 Martin Bašti 2016-05-25 13:18:46 UTC
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5911

Comment 4 Abhinay Reddy Peddireddy 2016-05-26 14:32:54 UTC
Check-marking those attributes in the effective users section of the write privilege worked fine as expected.

Comment 5 Martin Bašti 2016-05-29 12:16:16 UTC
Great, defaults will be fixed in 7.3

Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/1ce63e6193701679f539f7c83ddee9f65056b806

Comment 7 Scott Poore 2016-09-09 23:59:27 UTC
Verified.

Version ::

ipa-server-4.4.0-9.el7.x86_64

Results ::

[root@master ~]# ipa user-add testadmin --first=f --last=l
----------------------
Added user "testadmin"
----------------------
  User login: testadmin
  First name: f
  Last name: l
  Full name: f l
  Display name: f l
  Initials: fl
  Home directory: /home/testadmin
  GECOS: f l
  Login shell: /bin/sh
  Principal name: testadmin
  Principal alias: testadmin
  Email address: testadmin
  UID: 989000013
  GID: 989000013
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False

[root@master ~]# ipa passwd testadmin
New Password: 
Enter New Password again to verify: 
-----------------------------------------
Changed password for "testadmin"
-----------------------------------------

[root@master ~]# kinit testadmin
Password for testadmin: 
Password expired.  You must change it now.
Enter new password: 
Enter it again: 

[root@master ~]# kdestroy -A

[root@master ~]# kinit admin
Password for admin: 

[root@master ~]# ipa role-add testrole
---------------------
Added role "testrole"
---------------------
  Role name: testrole

[root@master ~]# ipa role-add-privilege --privileges="User Administrators" testrole
  Role name: testrole
  Privileges: User Administrators
----------------------------
Number of privileges added 1
----------------------------

[root@master ~]# ipa role-add-member --users=testadmin testrole
  Role name: testrole
  Member users: testadmin
  Privileges: User Administrators
-------------------------
Number of members added 1
-------------------------

[root@master ~]# ipa user-add testuser --first=f --last=l
---------------------
Added user "testuser"
---------------------
  User login: testuser
  First name: f
  Last name: l
  Full name: f l
  Display name: f l
  Initials: fl
  Home directory: /home/testuser
  GECOS: f l
  Login shell: /bin/sh
  Principal name: testuser
  Principal alias: testuser
  Email address: testuser
  UID: 989000014
  GID: 989000014
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False

[root@master ~]# kdestroy -A

[root@master ~]# kinit testadmin
Password for testadmin: 

[root@master ~]# ipa user-mod testuser --employeenumber=123
------------------------
Modified user "testuser"
------------------------
  User login: testuser
  First name: f
  Last name: l
  Home directory: /home/testuser
  Login shell: /bin/sh
  Principal name: testuser
  Principal alias: testuser
  Email address: testuser
  UID: 989000014
  GID: 989000014
  Employee Number: 123
  Account disabled: False
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False

[root@master ~]# ipa user-mod testuser --departmentnumber=122
------------------------
Modified user "testuser"
------------------------
  User login: testuser
  First name: f
  Last name: l
  Home directory: /home/testuser
  Login shell: /bin/sh
  Principal name: testuser
  Principal alias: testuser
  Email address: testuser
  UID: 989000014
  GID: 989000014
  Department Number: 122
  Account disabled: False
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False

[root@master ~]# ipa user-mod testuser --email=testuser
------------------------
Modified user "testuser"
------------------------
  User login: testuser
  First name: f
  Last name: l
  Home directory: /home/testuser
  Login shell: /bin/sh
  Principal name: testuser
  Principal alias: testuser
  Email address: testuser
  UID: 989000014
  GID: 989000014
  Account disabled: False
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False

[root@master ~]# ipa user-mod testuser --manager=admin
------------------------
Modified user "testuser"
------------------------
  User login: testuser
  First name: f
  Last name: l
  Home directory: /home/testuser
  Login shell: /bin/sh
  Principal name: testuser
  Principal alias: testuser
  Email address: testuser
  UID: 989000014
  GID: 989000014
  Manager: admin
  Account disabled: False
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False

Comment 9 errata-xmlrpc 2016-11-04 05:54:16 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2404.html


Note You need to log in before you can comment on or make changes to this bug.