The 'Host Administrators' privilege was missing two permissions ('Retrieve Certificates from the CA' and 'Revoke Certificate'), causing the inability to remove a host with a certificate.
https://fedorahosted.org/freeipa/ticket/3585 -- Regards, Ana Krivokapic Associate Software Engineer FreeIPA team Red Hat Inc.
From cf01603d4b0c0d806619fc2d53ac7a65f4d12944 Mon Sep 17 00:00:00 2001 From: Ana Krivokapic <akriv...@redhat.com> Date: Mon, 22 Apr 2013 21:43:12 +0200 Subject: [PATCH] Add missing permissions to Host Administrators privilege The 'Host Administrators' privilege was missing two permissions ('Retrieve Certificates from the CA' and 'Revoke Certificate'), causing the inability to remove a host with a certificate. https://fedorahosted.org/freeipa/ticket/3585 --- install/updates/40-delegation.update | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update index 5c14a703655e5de0c3b6a13e5b1a69a40ebfc13b..64a6432acc8605f3164d267d16609f51ce02a7ef 100644 --- a/install/updates/40-delegation.update +++ b/install/updates/40-delegation.update @@ -365,3 +365,11 @@ replace:aci:'(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=account dn: cn=ipa,cn=etc,$SUFFIX add:aci:'(target = "ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX")(version 3.0; acl "Add CA Certificates for renewals"; allow(add) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";)' add:aci:'(target = "ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX")(targetattr = "userCertificate")(version 3.0; acl "Modify CA Certificates for renewals"; allow(write) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";)' + +# Add permissions "Retrieve Certificates from the CA" and "Revoke Certificate" +# to privilege "Host Administrators" +dn: cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,$SUFFIX +add: member: 'cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX' + +dn: cn=Revoke Certificate,cn=permissions,cn=pbac,$SUFFIX +add: member: 'cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX' -- 1.8.1.4
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel