On 03/02/2014 11:26 PM, Gabe Alford wrote:
Here is an updated patch that merges the notes and adds info about
preventing removal of the last admin.
Gabe
That looks misleading to me -- by default, the "group administrators"
privilege actually excludes the right to modify admins. Only admins or
the Directory Manager can add new admins.
I took a stab at correcting this; does the attached patch look good?
On Fri, Feb 28, 2014 at 8:39 AM, Gabe Alford <[email protected]
<mailto:[email protected]>> wrote:
That does make more sense to merge them under the same note. I can
also include a little blurb about ipa user-del and ipa
group-remove-member.
On Fri, Feb 28, 2014 at 5:54 AM, Petr Viktorin <[email protected]
<mailto:[email protected]>> wrote:
On 02/26/2014 04:01 PM, Gabe Alford wrote:
Hi all,
I added a tip in the deleting users section on restoring
admin account.
Please review.
https://fedorahosted.org/__freeipa/ticket/2746
<https://fedorahosted.org/freeipa/ticket/2746>
Hello,
The new tip is added right under a Note about the same thing (or
a very similar thing, from the user's POV). Would it be possible
to merge those two into a single Note?
Nowadays[0], ipa user-del and ipa group-remove-member will
refuse to delete the last admin. I think this information should
be added to the main docs. (Also, this reduces the importance of
the recovery instructions.)
[0] https://fedorahosted.org/__freeipa/ticket/2564
<https://fedorahosted.org/freeipa/ticket/2564>
--
Petrł
--
Petr³
From 6d33775c23d31aaace4f4e896a543c8098100af8 Mon Sep 17 00:00:00 2001
From: Gabe <[email protected]>
Date: Sat, 1 Mar 2014 16:09:51 -0700
Subject: [PATCH] Document steps to restore deleted admin account
Added to the existing note under 'Deleting Users'. Also added a line about
ipa user-del and ipa group-remove-member not allowing the last admin user to be
deleted by default.
https://fedorahosted.org/freeipa/ticket/2746
---
src/user_guide/en-US/Users.xml | 16 +++++++++++++---
1 file changed, 13 insertions(+), 3 deletions(-)
diff --git a/src/user_guide/en-US/Users.xml b/src/user_guide/en-US/Users.xml
index 9ab18ac..5295667 100644
--- a/src/user_guide/en-US/Users.xml
+++ b/src/user_guide/en-US/Users.xml
@@ -447,12 +447,22 @@ UID: 387115841</screen>
<para>
Deleting a user account is permanent. The information cannot be recovered; a new account must be created.
</para>
- <note><title>NOTE</title>
+ <note><title>NOTE</title>
+ <para>
+ The <command>ipa user-del</command> and <command>ipa group-remove-member</command> commands prevent the accidential deletion of the last user in the <emphasis role="bold">admins</emphasis> group.
+ </para>
<para>
- If all admin users are deleted, then you must use the Directory Manager account to create a new administrative user.
+ However, if all users from the <emphasis role="bold">admins</emphasis> group are removed in some way,
+ you can use the Directory Manager account to add another user to the group:
</para>
+ <screen>ldapmodify -x -D 'cn=directory manager' -W
+dn: cn=admins,cn=groups,cn=accounts,dc=example,dc=com
+changetype: modify
+add: member
+member: uid=youruser,cn=users,cn=accouns,dc=example,dc=com
+ </screen>
<para>
- Alternatively, any user who belongs in the group management role can also add a new admin user.
+ Once you have done this, you may use this account to re-create the <emphasis role="bold">admin</emphasis> user.
</para>
</note>
<section id="Deleting_IPA_Users-ui"><title>With the Web UI</title>
--
1.8.5.3
_______________________________________________
Freeipa-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-devel
