Bug 751028 - Default Password Policy Administrator Role - Permissions missing
Summary: Default Password Policy Administrator Role - Permissions missing
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa
Version: 6.2
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Rob Crittenden
QA Contact: IDM QE LIST
URL:
Whiteboard:
Depends On:
Blocks: 756082
TreeView+ depends on / blocked
 
Reported: 2011-11-03 09:42 UTC by Gowrishankar Rajaiyan
Modified: 2012-06-20 13:16 UTC (History)
4 users (show)

Fixed In Version: ipa-2.2.0-1.el6
Doc Type: Bug Fix
Doc Text:
No documentation needed.
Clone Of:
Environment:
Last Closed: 2012-06-20 13:16:17 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2012:0819 0 normal SHIPPED_LIVE ipa bug fix and enhancement update 2012-06-19 20:34:17 UTC

Description Gowrishankar Rajaiyan 2011-11-03 09:42:43 UTC 
Description of problem:


Version-Release number of selected component (if applicable):
ipa-server-2.1.3-8.el6.x86_64


How reproducible:


Steps to Reproduce:
1. [root@decepticons ~]# ipa privilege-find "User Administrators"
-------------------
1 privilege matched
-------------------
  Privilege name: User Administrators
  Description: User Administrators
  Permissions: add users, change a user password, add user to default group,
unlock user accounts, remove users, modify users
  Granting privilege to roles: User Administrator
----------------------------
Number of entries returned 1
----------------------------
[root@decepticons ~]# 

2.[root@decepticons ~]# ipa privilege-find "Password Policy Administrator"
  Privilege name: Password Policy Administrator
  Description: Password Policy Administrator
  Granting privilege to roles: Security Architect


3.
  
Actual results:
Password Policy Administrator Role exists with no permissions assigned
No Password Policy permissions

Expected results:
Default Password Policy permissions exist
Password Policy Administrator Role has the expected permissions assigned

Additional info:
Comment 2 Martin Kosek 2011-11-03 11:54:40 UTC 
This is the same issue as with Bug 751029. I will target this for 6.3.0.

# ipa permission-find password --all
  dn: cn=add group password policy,cn=permissions,cn=pbac,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
  Permission name: Add Group Password Policy
  Permissions: add
  Subtree: ldap:///cn=*,cn=IDM.LAB.BOS.REDHAT.COM,cn=kerberos,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
  Granted to Privilege: Password Policy Administrator  <<<<<<<
  objectclass: groupofnames, ipapermission, top

  dn: cn=add group password policy costemplate,cn=permissions,cn=pbac,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
  Permission name: Add Group Password Policy costemplate
  Permissions: add
  Subtree: ldap:///cn=*,cn=costemplates,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
  Granted to Privilege: Password Policy Administrator  <<<<<<<
  objectclass: groupofnames, ipapermission, top
...
Comment 3 Martin Kosek 2011-11-03 11:55:13 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/2059
Comment 4 Martin Kosek 2011-12-08 09:10:24 UTC 
Fixed upstream:
master: https://fedorahosted.org/freeipa/changeset/373e9d1cf8b6539149e50b02655bdc7e931d7bf6
ipa-2-1: https://fedorahosted.org/freeipa/changeset/6d984172afd16492ec220c3f36b51a6314808fd1
Comment 6 Jenny Severance 2012-04-18 17:08:42 UTC 
verified:

# ipa permission-find password --all
---------------------
8 permissions matched
---------------------
  dn: cn=add group password policy,cn=permissions,cn=pbac,dc=testrelm,dc=com
  Permission name: Add Group Password Policy
  Permissions: add
  Subtree: ldap:///cn=*,cn=TESTRELM.COM,cn=kerberos,dc=testrelm,dc=com
  Granted to Privilege: Password Policy Administrator
  memberindirect: cn=password policy administrator,cn=privileges,cn=pbac,dc=testrelm,dc=com, cn=security architect,cn=roles,cn=accounts,dc=testrelm,dc=com
  objectclass: groupofnames, ipapermission, top

  dn: cn=add group password policy costemplate,cn=permissions,cn=pbac,dc=testrelm,dc=com
  Permission name: Add Group Password Policy costemplate
  Permissions: add
  Subtree: ldap:///cn=*,cn=costemplates,cn=accounts,dc=testrelm,dc=com
  Granted to Privilege: Password Policy Administrator
  memberindirect: cn=password policy administrator,cn=privileges,cn=pbac,dc=testrelm,dc=com, cn=security architect,cn=roles,cn=accounts,dc=testrelm,dc=com
  objectclass: groupofnames, ipapermission, top

  dn: cn=change a user password,cn=permissions,cn=pbac,dc=testrelm,dc=com
  Permission name: Change a user password
  Permissions: write
  Attributes: userpassword, krbprincipalkey, sambalmpassword, sambantpassword, passwordhistory
  Type: user
  Filter: (!(memberOf=cn=admins,cn=groups,cn=accounts,dc=testrelm,dc=com))
  Granted to Privilege: User Administrators, Modify Users and Reset passwords
  memberindirect: cn=user administrators,cn=privileges,cn=pbac,dc=testrelm,dc=com, cn=modify users and reset
                  passwords,cn=privileges,cn=pbac,dc=testrelm,dc=com, cn=user administrator,cn=roles,cn=accounts,dc=testrelm,dc=com,
                  cn=helpdesk,cn=roles,cn=accounts,dc=testrelm,dc=com
  objectclass: top, groupofnames, ipapermission

  dn: cn=delete group password policy,cn=permissions,cn=pbac,dc=testrelm,dc=com
  Permission name: Delete Group Password Policy
  Permissions: delete
  Subtree: ldap:///cn=*,cn=TESTRELM.COM,cn=kerberos,dc=testrelm,dc=com
  Granted to Privilege: Password Policy Administrator
  memberindirect: cn=password policy administrator,cn=privileges,cn=pbac,dc=testrelm,dc=com, cn=security architect,cn=roles,cn=accounts,dc=testrelm,dc=com
  objectclass: groupofnames, ipapermission, top

  dn: cn=delete group password policy costemplate,cn=permissions,cn=pbac,dc=testrelm,dc=com
  Permission name: Delete Group Password Policy costemplate
  Permissions: delete
  Subtree: ldap:///cn=*,cn=costemplates,cn=accounts,dc=testrelm,dc=com
  Granted to Privilege: Password Policy Administrator
  memberindirect: cn=password policy administrator,cn=privileges,cn=pbac,dc=testrelm,dc=com, cn=security architect,cn=roles,cn=accounts,dc=testrelm,dc=com
  objectclass: groupofnames, ipapermission, top

  dn: cn=modify group password policy,cn=permissions,cn=pbac,dc=testrelm,dc=com
  Permission name: Modify Group Password Policy
  Permissions: write
  Attributes: krbmaxpwdlife, krbminpwdlife, krbpwdhistorylength, krbpwdmindiffchars, krbpwdminlength, krbpwdmaxfailure, krbpwdfailurecountinterval,
              krbpwdlockoutduration
  Subtree: ldap:///cn=*,cn=TESTRELM.COM,cn=kerberos,dc=testrelm,dc=com
  Granted to Privilege: Password Policy Administrator
  memberindirect: cn=password policy administrator,cn=privileges,cn=pbac,dc=testrelm,dc=com, cn=security architect,cn=roles,cn=accounts,dc=testrelm,dc=com
  objectclass: groupofnames, ipapermission, top

  dn: cn=modify group password policy costemplate,cn=permissions,cn=pbac,dc=testrelm,dc=com
  Permission name: Modify Group Password Policy costemplate
  Permissions: write
  Attributes: cospriority
  Subtree: ldap:///cn=*,cn=costemplates,cn=accounts,dc=testrelm,dc=com
  Granted to Privilege: Password Policy Administrator
  memberindirect: cn=password policy administrator,cn=privileges,cn=pbac,dc=testrelm,dc=com, cn=security architect,cn=roles,cn=accounts,dc=testrelm,dc=com
  objectclass: groupofnames, ipapermission, top

  dn: cn=modify users,cn=permissions,cn=pbac,dc=testrelm,dc=com
  Permission name: Modify Users
  Permissions: write
  Attributes: givenname, sn, cn, displayname, title, initials, loginshell, gecos, homephone, mobile, pager, facsimiletelephonenumber, telephonenumber,
              street, roomnumber, l, st, postalcode, manager, secretary, description, carlicense, labeleduri, inetuserhttpurl, seealso, employeetype,
              businesscategory, ou, mepmanagedentry, objectclass
  Type: user
  Granted to Privilege: User Administrators, Modify Users and Reset passwords
  memberindirect: cn=user administrators,cn=privileges,cn=pbac,dc=testrelm,dc=com, cn=modify users and reset
                  passwords,cn=privileges,cn=pbac,dc=testrelm,dc=com, cn=user administrator,cn=roles,cn=accounts,dc=testrelm,dc=com,
                  cn=helpdesk,cn=roles,cn=accounts,dc=testrelm,dc=com
  objectclass: top, groupofnames, ipapermission
----------------------------
Number of entries returned 8
----------------------------

version:
ipa-server-2.2.0-9.el6.x86_64
Comment 8 Martin Kosek 2012-04-19 11:37:48 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
No documentation needed.
Comment 10 errata-xmlrpc 2012-06-20 13:16:17 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0819.html
Note You need to log in before you can comment on or make changes to this bug.