Red Hat Bugzilla – Bug 817909
error indicates a different reason when ipa permission-mod fails to modify attrs
Last modified: 2015-03-05 05:08:23 EST
Description of problem: From https://bugzilla.redhat.com/show_bug.cgi?id=783502#c11: The test was to modify a permission to change the attributes, using allowed attributes: ipa permission-mod "Change a user password" --attrs=userpassword,krbprincipalkey,sambalmpassword,passwordhistory the error now is: ipa: ERROR: invalid 'target': type, filter, subtree and targetgroup are mutually exclusive What is it referring to? Same error if I choose to use a non-savvy attr like "abc" ipa permission-mod "Change a user password" --attrs=abc or decide to provide the correct type, but still try to modify attr (with meaningful or non meaningful attrs) # ipa permission-mod "Change a user password" --attrs=abc --type=user ipa: ERROR: invalid 'target': type, filter, subtree and targetgroup are mutually exclusive Version-Release number of selected component (if applicable): ipa-server-2.2.0-12.el6.x86_64 How reproducible: always Steps to Reproduce: 1. Modify attributes of a permission 2. 3. Actual results: unable to modify, and get unrelated error Expected results: be able to modify - if all parameters are provided in command line (to workaround bug 782847) Additional info:
Does this happen on all permissions or only this specific permission?
Possibly related Permission when using Filter. # ipa permission-show "Add krbPrincipalName to a host" Permission name: Add krbPrincipalName to a host Permissions: write Attributes: krbprincipalname Type: host Filter: (!(krbprincipalname=*)) Granted to Privilege: Host Administrators, Host Enrollment # ipa permission-mod "Add krbPrincipalName to a host" --attrs=krbprincipalkey ipa: ERROR: invalid 'target': type, filter, subtree and targetgroup are mutually exclusive But works for other permissions as below: # ipa permission-show "Modify Group Password Policy" Permission name: Modify Group Password Policy Permissions: write Attributes: krbmaxpwdlife, krbminpwdlife, krbpwdhistorylength, krbpwdmindiffchars, krbpwdminlength, krbpwdmaxfailure, krbpwdfailurecountinterval, krbpwdlockoutduration Subtree: ldap:///cn=*,cn=TESTRELM.COM,cn=kerberos,dc=testrelm,dc=com Granted to Privilege: Password Policy Administrator # ipa permission-mod "Modify Group Password Policy" --attrs=krbmaxpwdlife,krbminpwdlife,krbpwdhistorylength,krbpwdmaxfailure,krbpwdfailurecountinterval -------------------------------------------------- Modified permission "Modify Group Password Policy" -------------------------------------------------- Permission name: Modify Group Password Policy Permissions: write Attributes: krbmaxpwdlife, krbminpwdlife, krbpwdhistorylength, krbpwdmaxfailure, krbpwdfailurecountinterval Subtree: ldap:///cn=*,cn=TESTRELM.COM,cn=kerberos,dc=testrelm,dc=com Granted to Privilege: Password Policy Administrator # ipa permission-show "Enroll a host" Permission name: Enroll a host Permissions: write Attributes: objectclass Type: host Granted to Privilege: Host Administrators, Host Enrollment # ipa permission-mod "Enroll a host" --attrs=description ----------------------------------- Modified permission "Enroll a host" ----------------------------------- Permission name: Enroll a host Permissions: write Attributes: description Type: host Granted to Privilege: Host Administrators, Host Enrollment
Thanks Namita. Rob, I think that the mutually exclusive target type list should only include type, subtree and targetgroup. User may want to apply the permission only for a subset of these targets, i.e. he needs to combine it with a filter. A good example is the permission "Add krbPrincipalName to a host" that Namita posted. I will open an upstream ticket for that.
Upstream ticket: https://fedorahosted.org/freeipa/ticket/2718
Fixed upstream in scope of https://fedorahosted.org/freeipa/ticket/3566: # ipa permission-show "Change a user password" Permission name: Change a user password Permissions: write Effective attributes: krbprincipalkey, passwordhistory, sambalmpassword, sambantpassword, userpassword Bind rule type: permission Subtree: dc=example,dc=com ACI target filter: (!(memberOf=cn=admins,cn=groups,cn=accounts,dc=example,dc=com)) ACI target DN: uid=*,cn=users,cn=accounts,dc=example,dc=com Granted to Privilege: Modify Users and Reset passwords, User Administrators # ipa permission-mod "Change a user password" --attrs={userpassword,krbprincipalkey,sambalmpassword,passwordhistory} -------------------------------------------- Modified permission "Change a user password" -------------------------------------------- Permission name: Change a user password Permissions: write Effective attributes: krbprincipalkey, passwordhistory, sambalmpassword, userpassword Bind rule type: permission Subtree: dc=example,dc=com ACI target filter: (!(memberOf=cn=admins,cn=groups,cn=accounts,dc=example,dc=com)) ACI target DN: uid=*,cn=users,cn=accounts,dc=example,dc=com Granted to Privilege: Modify Users and Reset passwords, User Administrators
Verified using ipa-server-4.1.0-15.el7.x86_64 # ipa permission-mod "System: Change user password" --attrs={userpassword,krbprincipalkey,sambalmpassword,passwordhistory} -------------------------------------------------- Modified permission "System: Change user password" -------------------------------------------------- Permission name: System: Change User password Granted rights: write Effective attributes: krbprincipalkey, passwordhistory, sambalmpassword, userpassword Excluded attributes: sambantpassword Default attributes: userpassword, krbprincipalkey, sambantpassword, passwordhistory, sambalmpassword Bind rule type: permission Subtree: cn=users,cn=accounts,dc=testrelm,dc=test Extra target filter: (!(memberOf=cn=admins,cn=groups,cn=accounts,dc=testrelm,dc=test)) Type: user Granted to Privilege: User Administrators, Modify Users and Reset passwords Indirect Member of roles: User Administrator, helpdesk
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-0442.html