Red Hat Bugzilla – Bug 1459946
GetEffectiveRights gives false-negative with ACIs containing targetfilter
Last modified: 2017-09-27 23:32:05 EDT
This bug is created as a clone of upstream ticket:
#### Issue Description
aci: (targetfilter = "(objectclass=ipaca)")(version 3.0;acl "permission:System: Add CA";allow (add) groupdn = "ldap:///cn=System: Add CA,cn=permissions,cn=pbac,<suffix>";)
The GetEffectiveRights control does not interpret this ACI as granting add
access to a user matching the `groupdn`. This behaviour causes problems
in FreeIPA because it is impossible to properly test whether a non-admin
user is able to perform some actions.
#### Package Version and Platform
#### Steps to reproduce
1. Make an ACI like the above.
2. Query effective rights for a user who matches the ACI.
3. Observe that the GER control indicates that they do not have access.
#### Actual results
If the user is a member of the `groupdn`, the GetEffectiveRights control
indicates that the user does not have add access even when the user
does have add access (albeitit conditional on the `targetfilter` matching
the object to be added.)
#### Expected results
The GetEffectiveRights control should indicate that a user has entry-level
access (add or delete) even where the access is granted conditional on a