Hide Forgot
Description of problem: I'm trying to change attributes for a user in an ID View using ID Overrides and I'm seeing Insufficient access errors: [root@master ~]# ipa idoverrideuser-mod testview adoruser1 --desc="1234" ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'description' attribute of entry 'ipaanchoruuid=:sid:s-1-5-21-2178499580-3696211733-3412024300-1104,cn=testview,cn=views,cn=accounts,dc=ipa,dc=test'. Version-Release number of selected component (if applicable): ipa-server-4.4.0-9.el7.x86_64 How reproducible: always Steps to Reproduce: 1. Setup IPA Master with Trust to AD Domain with user added 2. Create ID View and Override for AD User on Host ipa idview-add testview ipa idview-apply testview --hosts=master.ipa.test ipa idoverrideuser-add testview adoruser1 3. As AD User change description kdestroy -A kinit adoruser1 ipa idoverrideuser-mod testview adoruser1 --desc="1234" Actual results: error shown above Expected results: should change users description Additional info: If I try as user to change attribute for 'default trust view' that works. /var/log/httpd/error_log entry: [Fri Sep 02 09:36:30.821075 2016] [:error] [pid 4786] ipa: INFO: [jsonserver_kerb] adoruser1: idoverrideuser_mod/1(u'testview', u'adoruser1', description=u'1234', version=u'2.212'): ACIError I'll attach DS logs shortly
Created attachment 1197228 [details] dirsrv access log
Created attachment 1197229 [details] dirsrv errors log
This is not a bug, this is a wrong test case. AD users can only be defined in the 'Default Trust View' for self-service.