This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 817909 - error indicates a different reason when ipa permission-mod fails to modify attrs
error indicates a different reason when ipa permission-mod fails to modify attrs
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa (Show other bugs)
7.0
Unspecified Unspecified
medium Severity unspecified
: rc
: ---
Assigned To: Martin Kosek
Namita Soman
:
Depends On: 976382 1153292
Blocks:
  Show dependency treegraph
 
Reported: 2012-05-01 14:40 EDT by Namita Soman
Modified: 2015-03-05 05:08 EST (History)
1 user (show)

See Also:
Fixed In Version: ipa-4.0.3-1.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-03-05 05:08:23 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Namita Soman 2012-05-01 14:40:34 EDT
Description of problem:
From https://bugzilla.redhat.com/show_bug.cgi?id=783502#c11:
The test was to modify a permission to change the attributes, using allowed attributes:
ipa permission-mod "Change a user password"
--attrs=userpassword,krbprincipalkey,sambalmpassword,passwordhistory

the error now is:
ipa: ERROR: invalid 'target': type, filter, subtree and targetgroup are mutually exclusive

What is it referring to?

Same error if I choose to use a non-savvy attr like "abc"
ipa permission-mod "Change a user password" --attrs=abc

or decide to provide the correct type, but still try to modify attr (with meaningful or non meaningful attrs)
# ipa permission-mod "Change a user password" --attrs=abc --type=user
ipa: ERROR: invalid 'target': type, filter, subtree and targetgroup are mutually exclusive


Version-Release number of selected component (if applicable):
ipa-server-2.2.0-12.el6.x86_64

How reproducible:
always

Steps to Reproduce:
1. Modify attributes of a permission
2.
3.
  
Actual results:
unable to modify, and get unrelated error

Expected results:
be able to modify - if all parameters are provided in command line (to workaround bug 782847)

Additional info:
Comment 2 Rob Crittenden 2012-05-01 18:00:34 EDT
Does this happen on all permissions or only this specific permission?
Comment 3 Namita Soman 2012-05-03 08:24:03 EDT
Possibly related Permission when using Filter.
 
# ipa permission-show "Add krbPrincipalName to a host"
  Permission name: Add krbPrincipalName to a host
  Permissions: write
  Attributes: krbprincipalname
  Type: host
  Filter: (!(krbprincipalname=*))
  Granted to Privilege: Host Administrators, Host Enrollment


# ipa permission-mod "Add krbPrincipalName to a host" --attrs=krbprincipalkey
ipa: ERROR: invalid 'target': type, filter, subtree and targetgroup are mutually exclusive





But works for other permissions as below:
# ipa permission-show "Modify Group Password Policy"
  Permission name: Modify Group Password Policy
  Permissions: write
  Attributes: krbmaxpwdlife, krbminpwdlife, krbpwdhistorylength,
              krbpwdmindiffchars, krbpwdminlength, krbpwdmaxfailure,
              krbpwdfailurecountinterval, krbpwdlockoutduration
  Subtree: ldap:///cn=*,cn=TESTRELM.COM,cn=kerberos,dc=testrelm,dc=com
  Granted to Privilege: Password Policy Administrator

# ipa permission-mod "Modify Group Password Policy" --attrs=krbmaxpwdlife,krbminpwdlife,krbpwdhistorylength,krbpwdmaxfailure,krbpwdfailurecountinterval
--------------------------------------------------
Modified permission "Modify Group Password Policy"
--------------------------------------------------
  Permission name: Modify Group Password Policy
  Permissions: write
  Attributes: krbmaxpwdlife, krbminpwdlife, krbpwdhistorylength,
              krbpwdmaxfailure, krbpwdfailurecountinterval
  Subtree: ldap:///cn=*,cn=TESTRELM.COM,cn=kerberos,dc=testrelm,dc=com
  Granted to Privilege: Password Policy Administrator

# ipa permission-show "Enroll a host"
  Permission name: Enroll a host
  Permissions: write
  Attributes: objectclass
  Type: host
  Granted to Privilege: Host Administrators, Host Enrollment

# ipa permission-mod "Enroll a host" --attrs=description
-----------------------------------
Modified permission "Enroll a host"
-----------------------------------
  Permission name: Enroll a host
  Permissions: write
  Attributes: description
  Type: host
  Granted to Privilege: Host Administrators, Host Enrollment
Comment 4 Martin Kosek 2012-05-03 08:42:38 EDT
Thanks Namita. Rob, I think that the mutually exclusive target type list should only include type, subtree and targetgroup. User may want to apply the permission only for a subset of these targets, i.e. he needs to combine it with a filter.

A good example is the permission "Add krbPrincipalName to a host" that Namita posted.

I will open an upstream ticket for that.
Comment 5 Martin Kosek 2012-05-03 08:46:09 EDT
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/2718
Comment 9 Martin Kosek 2014-02-12 11:30:10 EST
Fixed upstream in scope of https://fedorahosted.org/freeipa/ticket/3566:

# ipa permission-show "Change a user password"
  Permission name: Change a user password
  Permissions: write
  Effective attributes: krbprincipalkey, passwordhistory, sambalmpassword,
                        sambantpassword, userpassword
  Bind rule type: permission
  Subtree: dc=example,dc=com
  ACI target filter: (!(memberOf=cn=admins,cn=groups,cn=accounts,dc=example,dc=com))
  ACI target DN: uid=*,cn=users,cn=accounts,dc=example,dc=com
  Granted to Privilege: Modify Users and Reset passwords, User Administrators

# ipa permission-mod "Change a user password" --attrs={userpassword,krbprincipalkey,sambalmpassword,passwordhistory}
--------------------------------------------
Modified permission "Change a user password"
--------------------------------------------
  Permission name: Change a user password
  Permissions: write
  Effective attributes: krbprincipalkey, passwordhistory, sambalmpassword, userpassword
  Bind rule type: permission
  Subtree: dc=example,dc=com
  ACI target filter: (!(memberOf=cn=admins,cn=groups,cn=accounts,dc=example,dc=com))
  ACI target DN: uid=*,cn=users,cn=accounts,dc=example,dc=com
  Granted to Privilege: Modify Users and Reset passwords, User Administrators
Comment 11 Namita Soman 2015-01-23 12:50:06 EST
Verified using ipa-server-4.1.0-15.el7.x86_64

# ipa permission-mod "System: Change user password" --attrs={userpassword,krbprincipalkey,sambalmpassword,passwordhistory}
--------------------------------------------------
Modified permission "System: Change user password"
--------------------------------------------------
  Permission name: System: Change User password
  Granted rights: write
  Effective attributes: krbprincipalkey, passwordhistory, sambalmpassword, userpassword
  Excluded attributes: sambantpassword
  Default attributes: userpassword, krbprincipalkey, sambantpassword, passwordhistory, sambalmpassword
  Bind rule type: permission
  Subtree: cn=users,cn=accounts,dc=testrelm,dc=test
  Extra target filter: (!(memberOf=cn=admins,cn=groups,cn=accounts,dc=testrelm,dc=test))
  Type: user
  Granted to Privilege: User Administrators, Modify Users and Reset passwords
  Indirect Member of roles: User Administrator, helpdesk
Comment 13 errata-xmlrpc 2015-03-05 05:08:23 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0442.html

Note You need to log in before you can comment on or make changes to this bug.