Hide Forgot
Description of problem: Add a permission with a subtree as a target. This will allow all attributes in this subtree to be modified. But can run cli to add a perm, and specify attr as below: ipa permission-add ManageHost --permissions="write" --subtree=cn=computers,cn=accounts,dc=testrelm,dc=com --memberof=groupone --attr=locality and there is no message indicating that the attr specified here is redundant, or will be ignored, or should not be allowed. Version-Release number of selected component (if applicable): ipa-server-2.2.0-101.20120117T0229zgit5febffb.el6.x86_64 How reproducible: always Steps to Reproduce: 1. Add a permission as above Actual results: Permission is added: ----------------------------- Added permission "ManageHost" ----------------------------- Permission name: ManageHost Permissions: write Attributes: locality Member of group: groupone Subtree: ldap:///cn=computers,cn=accounts,dc=testrelm,dc=com Expected results: Since permission will allow all attributes to be modified, the attr=locality is ignored....or not allowed. Additional info:
I need to double-check with the 389-ds team on the assumption that specifying no attributes means all attributes.
Upstream ticket: https://fedorahosted.org/freeipa/ticket/2304
in an aci, if you do not specify a targetattr clause, the default is no access to any attribute: junk.ldif: dn: dc=example,dc=com changetype: modify replace: aci aci: (target ="ldap:///dc=example,dc=com")(targetattr != "userpassword")(versio n 3.0;acl "Anonymous read-search access";allow (read, search, compare)(userdn = "ldap:///anyone");) aci: (target="ldap:///dc=example,dc=com") (targetattr = "*")(version 3.0; acl "allow all Admin group"; allow(all) groupdn = "ldap:///cn=Directory Administr ators,ou=Groups,dc=example,dc=com";) ldapmodify -f junk.ldif ldapsearch -xLLL -h localhost -p 1200 -b dc=example,dc=com uid=scarter dn: uid=scarter,ou=People,dc=example,dc=com cn: Sam Carter sn: Carter givenName: Sam objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson ou: Accounting ou: People l: Sunnyvale uid: scarter mail: scarter telephoneNumber: +1 408 555 4798 facsimileTelephoneNumber: +1 408 555 9751 roomNumber: 4612 manager: cn=uid=dmiller,ou=People,dc=example,dc=com # every attribute except userpassword but if I change the aci dn: dc=example,dc=com changetype: modify replace: aci aci: (target ="ldap:///dc=example,dc=com")(versio n 3.0;acl "Anonymous read-search access";allow (read, search, compare)(userdn = "ldap:///anyone");) aci: (target="ldap:///dc=example,dc=com") (targetattr = "*")(version 3.0; acl "allow all Admin group"; allow(all) groupdn = "ldap:///cn=Directory Administr ators,ou=Groups,dc=example,dc=com";) ldapmodify -f junk.ldif ldapsearch -xLLL -h localhost -p 1200 -b dc=example,dc=com uid=scarter # nothing is returned so in an aci, if you do not specify a targetattr, no attribute is allowed, and nothing is returned
In Doc: 15.4.2.1. Creating New Permissions from the Web UI Step 6 indicates that <snip> All attributes within the matching entries can be modified. <snip> which is misleading. Based on Rich's explanation above, if no attributes are specified, then the default is no access to any attribute.
I tried to clarify this in both the GUI and CLI sections: http://documentation-stage.bne.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/defining-roles.html#creating-perms
Setting all priority and severity to medium.
Closing.