RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2056009 - MemberManager with groups fails
Summary: MemberManager with groups fails
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: ipa
Version: 8.5
Hardware: All
OS: Linux
unspecified
high
Target Milestone: rc
: ---
Assignee: Florence Blanc-Renaud
QA Contact: ipa-qe
URL:
Whiteboard:
Depends On:
Blocks: 2148887
TreeView+ depends on / blocked
 
Reported: 2022-02-18 11:10 UTC by Sigbjorn Customer
Modified: 2023-05-16 09:29 UTC (History)
12 users (show)

Fixed In Version: ipa-4.9.11-3.module+el8.8.0+17608+39b88723
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 2148887 (view as bug list)
Environment:
Last Closed: 2023-05-16 08:28:45 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Fedora Pagure freeipa issue 9286 0 None None None 2022-11-25 11:08:08 UTC
Red Hat Issue Tracker FREEIPA-7863 0 None None None 2022-02-18 11:11:37 UTC
Red Hat Issue Tracker RHELPLAN-112820 0 None None None 2022-02-18 11:11:41 UTC
Red Hat Product Errata RHBA-2023:2794 0 None None None 2023-05-16 08:29:36 UTC

Description Sigbjorn Customer 2022-02-18 11:10:42 UTC 
Sigbjorn Lie via FreeIPA-users wrote:
On 2022-02-17 13:52, Alexander Bokovoy via FreeIPA-users wrote:
On to, 17 helmi 2022, Sigbjorn Lie-Soland via FreeIPA-users wrote:
Hi list,

We recenlty upgraded our IPA environment from EL7.9 to EL8.5. And now
we are testing out the new Member Manager feature.

Adding a usergroup (example: "role-groupmanager") as a MemberManager
for another group (example: "role-usergroup-A") yields an error message
when the user member of the "role-groupmanager” group (example:
“thorleif”)  attempts to add/remove users from the group
"role-usergroup-A”:

"Insufficient access: Insufficient 'write' privilege to the 'member'
attribute of entry"

If I add the user “thorleif” directly as a MemberManager of the group
"role-usergroup-A”, allows him to successfully add and remove users
from the group "role-usergroup-A”.

I presume this is a bug? Is there a known BZ for this or do you need me
to open one?

According to the design document,

-------------------------------------------------------------------
Member managers are stored in a new LDAP attribute ``memberManager``
with OID 2.16.840.1.113730.3.8.23.1. It is multi-valued and contains
DNs of users and groups which can manage members of the group. The
attribute can be added to entries with object class ``ipaUserGroup``
or ``ipaHostGroup``. The attribute is indexed and its membership
controlled by referential integrity postoperation plugin.
New userattr ACIs grant principals with user DN or group DN in
``memberManager`` write permission to the ``member`` attribute of the
group.

The ``memberManager`` attribute is protected by the generic read and
modify permissions for each type of group. It is readable by everybody
with ``System: Read Groups`` / ``System: Read Hostgroups`` permission
and writable by everybody with ``System: Modify Groups`` /
``System: Modify Hostgroups`` permission.
-------------------------------------------------------------------

So there are two parts here: ACI and a proper object class
'ipaUserGroup' for the group to manage (or 'ipaHostGroup' for host
group to manage).

Can you check that 'aci' attribute on cn=groups,cn=accounts,$SUFFIX and
on cn=hostgroups,cn=accounts,$SUFFIX contains the following ACIs:

# Allow member managers to modify members of user groups
dn: cn=groups,cn=accounts,$SUFFIX
aci: (targetattr = "member")(targetfilter =
"(objectclass=ipaUserGroup)")(version 3.0; acl "Allow member managers
to modify members of user groups"; allow (write) userattr =
"memberManager#USERDN" or userattr = "memberManager#GROUPDN";)

# Allow member managers to modify members of a host group
dn: cn=hostgroups,cn=accounts,$SUFFIX
aci: (targetattr = "member")(targetfilter =
"(objectclass=ipaHostGroup)")(version 3.0; acl "Allow member managers
to modify members of host groups"; allow (write) userattr =
"memberManager#USERDN" or userattr = "memberManager#GROUPDN";)


Thank you for the prompt reply!

I see the following ACI on dn: cn=groups,cn=accounts,$SUFFIX
aci: (targetattr = "member")(targetfilter =
"(objectclass=ipaUserGroup)")(version 3.0; acl "Allow member managers to
modify members of user groups"; allow (write) userattr =
"memberManager#USERDN";)

This differs from your example which includes both USERDN and GROUPDN in
the ACI, while our ACI includes only USERDN.

Looking at the ACI for dn: cn=hostgroups,cn=accounts,$SUFFIX results in
the same issue.
aci: (targetattr = "member")(targetfilter =
"(objectclass=ipaHostGroup)")(version 3.0; acl "Allow member managers to
modify members of host groups"; allow (write) userattr =
"memberManager#USERDN";)


Is there an existing BZ for this? As we recently upgraded we have just
about all the recent EL8 patches installed.

I couldn't find one.

The problem is that the ACIs are defined in two places:

install/share/default-aci.ldif
install/updates/20-aci.update

default-aci.ldif has the ACI including GROUPDN but this isn't applied on
upgrades.

20-aci.update has what you are seeing, USERDN only.

This will require two fixes: one to add the GROUPDN when the ACI is
missing and one to repair existing installs.

rob
_______________________________________________


https://www.mail-archive.com/freeipa-users@lists.fedorahosted.org/msg13581.html
Comment 3 Sigbjorn Customer 2022-11-02 08:40:00 UTC 
Could you please advise why this fix is taking so long to implement? 
As far as I can see the issue has been identified, and a fix has also been identified.

In /usr/share/ipa/updates/20-aci.update, the following line:

add:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaUserGroup)")(version 3.0; acl "Allow member managers to modify members of user groups"; allow (write) userattr = "memberManager#USERDN";)

Should be replaced with

add:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaUserGroup)")(version 3.0; acl "Allow member managers to modify members of user groups"; allow (write) userattr = "memberManager#USERDN" or userattr = "memberManager#GROUPDN";)

We have been waiting patiently for months now, but we are really in need of having this bug fixed.

Any help would be greatly appreciated.
Comment 4 Rob Crittenden 2022-11-02 12:24:10 UTC 
Any change takes time and resources and must be considered against all other bugs for priority.

Note that adding the new ACI is not a sufficient fix. The old ACI should also be removed.
Comment 5 Alexander Bokovoy 2022-11-25 11:08:08 UTC 
I cloned this to https://pagure.io/freeipa/issue/9286 and adding PR at https://github.com/freeipa/freeipa/pull/6565
Comment 6 Florence Blanc-Renaud 2022-11-28 09:30:16 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/e1fd9ebb7380c206c1cac2d7b40f78b4581fddf5
Comment 7 Florence Blanc-Renaud 2022-11-28 17:54:41 UTC 
Fixed upstream
ipa-4-10:
https://pagure.io/freeipa/c/42be04fe4ff317efe599dcbc2637f94ecc6fa220
Comment 8 Florence Blanc-Renaud 2022-12-02 12:22:03 UTC 
Fixed upstream
ipa-4-9:
https://pagure.io/freeipa/c/651e28c1fb6b86ad1fbd4ea98644e00b7042499c
Comment 16 Sudhir Menon 2023-01-30 14:11:06 UTC 
Marking the bug verified manually using 
ipa-server-4.9.11-3.module+el8.8.0+17608+39b88723.x86_64.

Post upgrade to RHEL8.8

[root@master yum.repos.d]#  cat /usr/share/ipa/updates/20-aci.update  | grep 'Allow member managers'
# Allow member managers to modify members of user groups
remove:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaUserGroup)")(version 3.0; acl "Allow member managers to modify members of user groups"; allow (write) userattr = "memberManager#USERDN";)
add:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaUserGroup)")(version 3.0; acl "Allow member managers to modify members of user groups"; allow (write) userattr = "memberManager#USERDN" or userattr = "memberManager#GROUPDN";)
# Allow member managers to modify members of host groups
remove:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaHostGroup)")(version 3.0; acl "Allow member managers to modify members of host groups"; allow (write) userattr = "memberManager#USERDN";)
add:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaHostGroup)")(version 3.0; acl "Allow member managers to modify members of host groups"; allow (write) userattr = "memberManager#USERDN" or userattr = "memberManager#GROUPDN";)
Comment 17 Florence Blanc-Renaud 2023-03-15 08:48:17 UTC 
Test added upstream
master:
https://pagure.io/freeipa/c/4acd9fe9f7f0934ff26bbd6254c036341b1dae52

Test case: 
ipatests/test_integration/test_membermanager.py::TestMemberManager::test_member_manager_upgrade_scenario
Comment 18 Florence Blanc-Renaud 2023-03-15 17:32:21 UTC 
Test added upstream:
ipa-4-10:
https://pagure.io/freeipa/c/e1f4f655a65777f5096e65b8e5c3e079f77f6ecc

ipa-4-9:
https://pagure.io/freeipa/c/2fb6f0216e7433e0e6459678863edb2a31c90cde
Comment 20 errata-xmlrpc 2023-05-16 08:28:45 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (idm:client and idm:DL1 bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2794
Note You need to log in before you can comment on or make changes to this bug.