Bug 751028
| Summary: | Default Password Policy Administrator Role - Permissions missing | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Gowrishankar Rajaiyan <grajaiya> |
| Component: | ipa | Assignee: | Rob Crittenden <rcritten> |
| Status: | CLOSED ERRATA | QA Contact: | IDM QE LIST <seceng-idm-qe-list> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.2 | CC: | dpal, jgalipea, mkosek, nsoman |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | ipa-2.2.0-1.el6 | Doc Type: | Bug Fix |
| Doc Text: |
No documentation needed.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-06-20 13:16:17 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 756082 | ||
|
Description
Gowrishankar Rajaiyan
2011-11-03 09:42:43 UTC
This is the same issue as with Bug 751029. I will target this for 6.3.0. # ipa permission-find password --all dn: cn=add group password policy,cn=permissions,cn=pbac,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com Permission name: Add Group Password Policy Permissions: add Subtree: ldap:///cn=*,cn=IDM.LAB.BOS.REDHAT.COM,cn=kerberos,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com Granted to Privilege: Password Policy Administrator <<<<<<< objectclass: groupofnames, ipapermission, top dn: cn=add group password policy costemplate,cn=permissions,cn=pbac,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com Permission name: Add Group Password Policy costemplate Permissions: add Subtree: ldap:///cn=*,cn=costemplates,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com Granted to Privilege: Password Policy Administrator <<<<<<< objectclass: groupofnames, ipapermission, top ... Upstream ticket: https://fedorahosted.org/freeipa/ticket/2059 Fixed upstream: master: https://fedorahosted.org/freeipa/changeset/373e9d1cf8b6539149e50b02655bdc7e931d7bf6 ipa-2-1: https://fedorahosted.org/freeipa/changeset/6d984172afd16492ec220c3f36b51a6314808fd1 verified:
# ipa permission-find password --all
---------------------
8 permissions matched
---------------------
dn: cn=add group password policy,cn=permissions,cn=pbac,dc=testrelm,dc=com
Permission name: Add Group Password Policy
Permissions: add
Subtree: ldap:///cn=*,cn=TESTRELM.COM,cn=kerberos,dc=testrelm,dc=com
Granted to Privilege: Password Policy Administrator
memberindirect: cn=password policy administrator,cn=privileges,cn=pbac,dc=testrelm,dc=com, cn=security architect,cn=roles,cn=accounts,dc=testrelm,dc=com
objectclass: groupofnames, ipapermission, top
dn: cn=add group password policy costemplate,cn=permissions,cn=pbac,dc=testrelm,dc=com
Permission name: Add Group Password Policy costemplate
Permissions: add
Subtree: ldap:///cn=*,cn=costemplates,cn=accounts,dc=testrelm,dc=com
Granted to Privilege: Password Policy Administrator
memberindirect: cn=password policy administrator,cn=privileges,cn=pbac,dc=testrelm,dc=com, cn=security architect,cn=roles,cn=accounts,dc=testrelm,dc=com
objectclass: groupofnames, ipapermission, top
dn: cn=change a user password,cn=permissions,cn=pbac,dc=testrelm,dc=com
Permission name: Change a user password
Permissions: write
Attributes: userpassword, krbprincipalkey, sambalmpassword, sambantpassword, passwordhistory
Type: user
Filter: (!(memberOf=cn=admins,cn=groups,cn=accounts,dc=testrelm,dc=com))
Granted to Privilege: User Administrators, Modify Users and Reset passwords
memberindirect: cn=user administrators,cn=privileges,cn=pbac,dc=testrelm,dc=com, cn=modify users and reset
passwords,cn=privileges,cn=pbac,dc=testrelm,dc=com, cn=user administrator,cn=roles,cn=accounts,dc=testrelm,dc=com,
cn=helpdesk,cn=roles,cn=accounts,dc=testrelm,dc=com
objectclass: top, groupofnames, ipapermission
dn: cn=delete group password policy,cn=permissions,cn=pbac,dc=testrelm,dc=com
Permission name: Delete Group Password Policy
Permissions: delete
Subtree: ldap:///cn=*,cn=TESTRELM.COM,cn=kerberos,dc=testrelm,dc=com
Granted to Privilege: Password Policy Administrator
memberindirect: cn=password policy administrator,cn=privileges,cn=pbac,dc=testrelm,dc=com, cn=security architect,cn=roles,cn=accounts,dc=testrelm,dc=com
objectclass: groupofnames, ipapermission, top
dn: cn=delete group password policy costemplate,cn=permissions,cn=pbac,dc=testrelm,dc=com
Permission name: Delete Group Password Policy costemplate
Permissions: delete
Subtree: ldap:///cn=*,cn=costemplates,cn=accounts,dc=testrelm,dc=com
Granted to Privilege: Password Policy Administrator
memberindirect: cn=password policy administrator,cn=privileges,cn=pbac,dc=testrelm,dc=com, cn=security architect,cn=roles,cn=accounts,dc=testrelm,dc=com
objectclass: groupofnames, ipapermission, top
dn: cn=modify group password policy,cn=permissions,cn=pbac,dc=testrelm,dc=com
Permission name: Modify Group Password Policy
Permissions: write
Attributes: krbmaxpwdlife, krbminpwdlife, krbpwdhistorylength, krbpwdmindiffchars, krbpwdminlength, krbpwdmaxfailure, krbpwdfailurecountinterval,
krbpwdlockoutduration
Subtree: ldap:///cn=*,cn=TESTRELM.COM,cn=kerberos,dc=testrelm,dc=com
Granted to Privilege: Password Policy Administrator
memberindirect: cn=password policy administrator,cn=privileges,cn=pbac,dc=testrelm,dc=com, cn=security architect,cn=roles,cn=accounts,dc=testrelm,dc=com
objectclass: groupofnames, ipapermission, top
dn: cn=modify group password policy costemplate,cn=permissions,cn=pbac,dc=testrelm,dc=com
Permission name: Modify Group Password Policy costemplate
Permissions: write
Attributes: cospriority
Subtree: ldap:///cn=*,cn=costemplates,cn=accounts,dc=testrelm,dc=com
Granted to Privilege: Password Policy Administrator
memberindirect: cn=password policy administrator,cn=privileges,cn=pbac,dc=testrelm,dc=com, cn=security architect,cn=roles,cn=accounts,dc=testrelm,dc=com
objectclass: groupofnames, ipapermission, top
dn: cn=modify users,cn=permissions,cn=pbac,dc=testrelm,dc=com
Permission name: Modify Users
Permissions: write
Attributes: givenname, sn, cn, displayname, title, initials, loginshell, gecos, homephone, mobile, pager, facsimiletelephonenumber, telephonenumber,
street, roomnumber, l, st, postalcode, manager, secretary, description, carlicense, labeleduri, inetuserhttpurl, seealso, employeetype,
businesscategory, ou, mepmanagedentry, objectclass
Type: user
Granted to Privilege: User Administrators, Modify Users and Reset passwords
memberindirect: cn=user administrators,cn=privileges,cn=pbac,dc=testrelm,dc=com, cn=modify users and reset
passwords,cn=privileges,cn=pbac,dc=testrelm,dc=com, cn=user administrator,cn=roles,cn=accounts,dc=testrelm,dc=com,
cn=helpdesk,cn=roles,cn=accounts,dc=testrelm,dc=com
objectclass: top, groupofnames, ipapermission
----------------------------
Number of entries returned 8
----------------------------
version:
ipa-server-2.2.0-9.el6.x86_64
Technical note added. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
New Contents:
No documentation needed.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0819.html |