Hide Forgot
Description of problem: Version-Release number of selected component (if applicable): ipa-server-2.1.3-8.el6.x86_64 How reproducible: Steps to Reproduce: 1. [root@decepticons ~]# ipa privilege-find "User Administrators" ------------------- 1 privilege matched ------------------- Privilege name: User Administrators Description: User Administrators Permissions: add users, change a user password, add user to default group, unlock user accounts, remove users, modify users Granting privilege to roles: User Administrator ---------------------------- Number of entries returned 1 ---------------------------- [root@decepticons ~]# 2. [root@decepticons ~]# ipa privilege-find "Modify Group membership" ------------------- 1 privilege matched ------------------- Privilege name: Modify Group membership Description: Modify Group membership Granting privilege to roles: helpdesk ---------------------------- Number of entries returned 1 ---------------------------- [root@decepticons ~]# 3. Actual results: Modify Group membership Role exists with no permissions assigned No Modify Group membership permissions Expected results: Default Modify Group membership permissions exist Modify Group membership Role has the expected permissions assigned Additional info:
This issue is not blocking, these permissions are members of the privileges. We just miss the memberof attribute in privilege LDAP objects. This permissions are not listed for privilege. # ipa permission-find ... Permission name: Modify Group membership Permissions: write Attributes: member Type: group Granted to Privilege: Group Administrators ... I just checked that permissions are functionally ok: Plain user fbar without any role: $ ipa group-add-member foousers --users=fbar Group name: foousers Description: foo GID: 706800004 Failed members: member user: fbar: Insufficient access: Insufficient 'write' privilege to the 'member' attribute of entry 'cn=foousers,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com'. Now we assign him a role: # ipa role-add-member "User Administrator" --users=fbar And he has the right to modify the membership: $ ipa group-add-member foousers --users=fbar Group name: foousers Description: foo GID: 706800004 Member users: fbar
Upstream ticket: https://fedorahosted.org/freeipa/ticket/2058
You tested the User Administrator Role, not the Modify Group membership role. The problem appears to be that the permissions are added before the privilege in the update file so the member attribute is being lost. $ ipa user-add --first=Tim --last=Test --password $ kinit ttest $ ipa group-add-member --users=ttest editors Group name: editors Description: Limited admins who can edit other users GID: 750400002 Failed members: member user: ttest: Insufficient access: Insufficient 'write' privilege to the 'member' attribute of entry 'cn=editors,cn=groups,cn=accounts,dc=example,dc=com'. ------------------------- Number of members added 0 ------------------------- $ kinit admin $ ipa role-add-member --users=ttest helpdesk Role name: helpdesk Description: Helpdesk Member users: ttest Privileges: modify users and reset passwords, modify group membership ------------------------- Number of members added 1 ------------------------- $ kinit ttest $ ipa group-add-member --users=ttest editors Group name: editors Description: Limited admins who can edit other users GID: 750400002 Failed members: member user: ttest: Insufficient access: Insufficient 'write' privilege to the 'member' attribute of entry 'cn=editors,cn=groups,cn=accounts,dc=example,dc=com'. ------------------------- Number of members added 0 -------------------------
You are right, I used a role with wrong privilege. "User Administrator" role contains a "group administrator" privilege which has correct memberof links to group membership related permissions.
I did some more research in this area and I found out, why I used "Group Administrators" privilege instead of "modify group membership" privilege. No permission was never a member of "modify group membership", i.e. there neither "member" nor "memberof" link between a group membership related permissions and the privilege. On the contrary, Group Administrator have the member/memberof links so that is the reason it works. I did another test, for the privilege to work, just a member attribute is enough. I tested this with SUDO User fbar: $ ipa sudorule-add foo --desc=foo ipa: ERROR: Insufficient access: Insufficient 'add' privilege to add the entry 'ipaUniqueID=2a3e4ff8-06b6-11e1-894b-00163e2d6a08,cn=sudorules,cn=sudo,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com'. Now I add him the privilege without the memberof links: # ipa privilege-show "SUDO Administrator" Privilege name: Sudo Administrator Description: Sudo Administrator Granting privilege to roles: IT Security Specialist, foo <<<<< No permission listed # ipa role-show foo Role name: foo Description: foo Privileges: sudo administrator # ipa role-add-member foo --users=fbar Role name: foo Description: foo Member users: fbar Privileges: sudo administrator ------------------------- Number of members added 1 ------------------------- And then as fbar I can add SUDO rules: $ ipa sudorule-add foo --desc=foo --------------------- Added Sudo Rule "foo" --------------------- Rule name: foo Description: foo Enabled: TRUE This proves that correct member attribute is sufficient for permissions to work, i.e. other privileges with missing memberof links should be functional (SUDO, HBAC, ...)
Fixed upstream: master: https://fedorahosted.org/freeipa/changeset/373e9d1cf8b6539149e50b02655bdc7e931d7bf6 ipa-2-1: https://fedorahosted.org/freeipa/changeset/6d984172afd16492ec220c3f36b51a6314808fd1
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: No documentation needed.
Verified using ipa-server-2.2.0-12.el6.x86_64 # ipa privilege-find "Modify Group membership" ------------------- 1 privilege matched ------------------- Privilege name: Modify Group membership Description: Modify Group membership Permissions: Modify Group membership Granting privilege to roles: helpdesk ---------------------------- Number of entries returned 1 ---------------------------- Modify Group membership Role has the expected permissions assigned
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0819.html