Hide Forgot
Description of problem: Version-Release number of selected component (if applicable): ipa-server-2.1.3-8.el6.x86_64 How reproducible: Steps to Reproduce: 1. [root@decepticons ~]# ipa privilege-find "User Administrators" ------------------- 1 privilege matched ------------------- Privilege name: User Administrators Description: User Administrators Permissions: add users, change a user password, add user to default group, unlock user accounts, remove users, modify users Granting privilege to roles: User Administrator ---------------------------- Number of entries returned 1 ---------------------------- [root@decepticons ~]# 2. [root@decepticons ~]# ipa privilege-find "HBAC Administrator" ------------------- 1 privilege matched ------------------- Privilege name: HBAC Administrator Description: HBAC Administrator Granting privilege to roles: IT Security Specialist ---------------------------- Number of entries returned 1 ---------------------------- [root@decepticons ~]# Actual results: HBAC Administrator Role exists with no permissions assigned No HBAC permissions Expected results: Default HBAC permissions exist HBAC Administrator Role has the expected permissions assigned Additional info:
This is the same root cause as in Bug 751029. I will target this for 6.3.0. # ipa permission-find hbac --all --------------------- 9 permissions matched --------------------- dn: cn=add hbac rule,cn=permissions,cn=pbac,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com Permission name: Add HBAC rule Permissions: add Subtree: ldap:///ipauniqueid=*,cn=hbac,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com Granted to Privilege: HBAC Administrator <<<<<<< objectclass: groupofnames, ipapermission, top dn: cn=add hbac service groups,cn=permissions,cn=pbac,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com Permission name: Add HBAC service groups Permissions: add Subtree: ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com Granted to Privilege: HBAC Administrator <<<<<<< objectclass: groupofnames, ipapermission, top ...
Upstream ticket: https://fedorahosted.org/freeipa/ticket/2061
Fixed upstream: master: https://fedorahosted.org/freeipa/changeset/373e9d1cf8b6539149e50b02655bdc7e931d7bf6 ipa-2-1: https://fedorahosted.org/freeipa/changeset/6d984172afd16492ec220c3f36b51a6314808fd1
verified: # ipa permission-find hbac --all --------------------- 9 permissions matched --------------------- dn: cn=add hbac rule,cn=permissions,cn=pbac,dc=testrelm,dc=com Permission name: Add HBAC rule Permissions: add Subtree: ldap:///ipauniqueid=*,cn=hbac,dc=testrelm,dc=com Granted to Privilege: HBAC Administrator memberindirect: cn=hbac administrator,cn=privileges,cn=pbac,dc=testrelm,dc=com, cn=it security specialist,cn=roles,cn=accounts,dc=testrelm,dc=com objectclass: groupofnames, ipapermission, top dn: cn=add hbac service groups,cn=permissions,cn=pbac,dc=testrelm,dc=com Permission name: Add HBAC service groups Permissions: add Subtree: ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=testrelm,dc=com Granted to Privilege: HBAC Administrator memberindirect: cn=hbac administrator,cn=privileges,cn=pbac,dc=testrelm,dc=com, cn=it security specialist,cn=roles,cn=accounts,dc=testrelm,dc=com objectclass: groupofnames, ipapermission, top dn: cn=add hbac services,cn=permissions,cn=pbac,dc=testrelm,dc=com Permission name: Add HBAC services Permissions: add Subtree: ldap:///cn=*,cn=hbacservices,cn=hbac,dc=testrelm,dc=com Granted to Privilege: HBAC Administrator memberindirect: cn=hbac administrator,cn=privileges,cn=pbac,dc=testrelm,dc=com, cn=it security specialist,cn=roles,cn=accounts,dc=testrelm,dc=com objectclass: groupofnames, ipapermission, top dn: cn=delete hbac rule,cn=permissions,cn=pbac,dc=testrelm,dc=com Permission name: Delete HBAC rule Permissions: delete Subtree: ldap:///ipauniqueid=*,cn=hbac,dc=testrelm,dc=com Granted to Privilege: HBAC Administrator memberindirect: cn=hbac administrator,cn=privileges,cn=pbac,dc=testrelm,dc=com, cn=it security specialist,cn=roles,cn=accounts,dc=testrelm,dc=com objectclass: groupofnames, ipapermission, top dn: cn=delete hbac service groups,cn=permissions,cn=pbac,dc=testrelm,dc=com Permission name: Delete HBAC service groups Permissions: delete Subtree: ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=testrelm,dc=com Granted to Privilege: HBAC Administrator memberindirect: cn=hbac administrator,cn=privileges,cn=pbac,dc=testrelm,dc=com, cn=it security specialist,cn=roles,cn=accounts,dc=testrelm,dc=com objectclass: groupofnames, ipapermission, top dn: cn=delete hbac services,cn=permissions,cn=pbac,dc=testrelm,dc=com Permission name: Delete HBAC services Permissions: delete Subtree: ldap:///cn=*,cn=hbacservices,cn=hbac,dc=testrelm,dc=com Granted to Privilege: HBAC Administrator memberindirect: cn=hbac administrator,cn=privileges,cn=pbac,dc=testrelm,dc=com, cn=it security specialist,cn=roles,cn=accounts,dc=testrelm,dc=com objectclass: groupofnames, ipapermission, top dn: cn=manage hbac rule membership,cn=permissions,cn=pbac,dc=testrelm,dc=com Permission name: Manage HBAC rule membership Permissions: write Attributes: memberuser, externalhost, memberservice, memberhost Subtree: ldap:///ipauniqueid=*,cn=hbac,dc=testrelm,dc=com Granted to Privilege: HBAC Administrator memberindirect: cn=hbac administrator,cn=privileges,cn=pbac,dc=testrelm,dc=com, cn=it security specialist,cn=roles,cn=accounts,dc=testrelm,dc=com objectclass: groupofnames, ipapermission, top dn: cn=manage hbac service group membership,cn=permissions,cn=pbac,dc=testrelm,dc=com Permission name: Manage HBAC service group membership Permissions: write Attributes: member Subtree: ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=testrelm,dc=com Granted to Privilege: HBAC Administrator memberindirect: cn=hbac administrator,cn=privileges,cn=pbac,dc=testrelm,dc=com, cn=it security specialist,cn=roles,cn=accounts,dc=testrelm,dc=com objectclass: groupofnames, ipapermission, top dn: cn=modify hbac rule,cn=permissions,cn=pbac,dc=testrelm,dc=com Permission name: Modify HBAC rule Permissions: write Attributes: servicecategory, sourcehostcategory, cn, description, ipaenabledflag, accesstime, usercategory, hostcategory, accessruletype, sourcehost Subtree: ldap:///ipauniqueid=*,cn=hbac,dc=testrelm,dc=com Granted to Privilege: HBAC Administrator memberindirect: cn=hbac administrator,cn=privileges,cn=pbac,dc=testrelm,dc=com, cn=it security specialist,cn=roles,cn=accounts,dc=testrelm,dc=com objectclass: groupofnames, ipapermission, top ---------------------------- Number of entries returned 9 ---------------------------- version : ipa-server-2.2.0-9.el6.x86_64
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: No documentation needed.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0819.html