Hello,
I try to think about any kind of data the user might have in LDAP, but in the spirit of YAGNI, I'll deal with the various corner cases in IPA's historic default permissions as I go along.


Patch 0568 adds support for the case where the default permissions changed in something else than attribute lists. Needed for the 'Change User password' permission.

Patch 0569 converts user permissions to managed.

Patch 0570 fixes https://fedorahosted.org/freeipa/ticket/3697

--
PetrĀ³
From a09d3e24805f29a828f67ee4cab3a6f8bbc0e693 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pvikt...@redhat.com>
Date: Wed, 4 Jun 2014 16:11:30 +0200
Subject: [PATCH] managed perm updater: Handle case where we changed default
 ACIs in the past

This handles the case where IPA's default ACIs changed in something else
than just attribute lists.
In this case we can narrow the set of ACIs we think the user might be
upgrading from.

Part of the work for: https://fedorahosted.org/freeipa/ticket/4346
---
 .../install/plugins/update_managed_permissions.py    | 20 ++++++++++++++++++--
 1 file changed, 18 insertions(+), 2 deletions(-)

diff --git a/ipaserver/install/plugins/update_managed_permissions.py b/ipaserver/install/plugins/update_managed_permissions.py
index 13433d353cd09de77029fd76f7070bf79a432774..e6f852c09d1a732109da5d56320192d4e617ab38 100644
--- a/ipaserver/install/plugins/update_managed_permissions.py
+++ b/ipaserver/install/plugins/update_managed_permissions.py
@@ -408,11 +408,20 @@ def get_upgrade_attr_lists(self, current_acistring, default_acistrings):
         An attribute will be included if the user has it in LDAP but it does
         not appear in *any* historic ACI.
         It will be excluded if it is in *all* historic ACIs but not in LDAP.
+        Rationale: When we don't know which version of an ACI the user is
+        upgrading from, we only consider attributes where all the versions
+        agree. For other attrs we'll use the default from the new managed perm.
 
         If the ACIs differ in something else than the list of attributes,
         raise IncompatibleACIModification. This means manual action is needed
         (either delete the old permission or change it to resemble the default
-        again, then re-run ipa-ldap-updater)
+        again, then re-run ipa-ldap-updater).
+
+        In case there are multiple historic default ACIs, and some of them
+        are compatible with the current but other ones aren't, we deduce that
+        the user is upgrading from one of the compatible ones.
+        The incompatible ones are removed from consideration, both for
+        compatibility and attribute lists.
         """
         assert default_acistrings
 
@@ -434,6 +443,7 @@ def _pop_targetattr(aci):
 
         attrs_in_all_defaults = None
         attrs_in_any_defaults = set()
+        all_incompatible = True
         for default_acistring in default_acistrings:
             default_aci = ACI(default_acistring)
             default_attrs = _pop_targetattr(default_aci)
@@ -442,7 +452,9 @@ def _pop_targetattr(aci):
 
             if current_aci != default_aci:
                 self.log.debug('ACIs not compatible')
-                raise(IncompatibleACIModification())
+                continue
+            else:
+                all_incompatible = False
 
             if attrs_in_all_defaults is None:
                 attrs_in_all_defaults = set(default_attrs)
@@ -450,6 +462,10 @@ def _pop_targetattr(aci):
                 attrs_in_all_defaults &= attrs_in_all_defaults
             attrs_in_any_defaults |= default_attrs
 
+        if all_incompatible:
+            self.log.debug('All old default ACIs are incompatible')
+            raise(IncompatibleACIModification())
+
         included = current_attrs - attrs_in_any_defaults
         excluded = attrs_in_all_defaults - current_attrs
 
-- 
1.9.0

From fb01e2a0c9e84ff618b5de01c1373bded154e5d9 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pvikt...@redhat.com>
Date: Wed, 4 Jun 2014 15:21:26 +0200
Subject: [PATCH] Convert User default permissions to managed

Part of the work for: https://fedorahosted.org/freeipa/ticket/4346
---
 install/share/delegation.ldif        | 72 -------------------------------
 install/updates/40-delegation.update | 16 -------
 ipalib/plugins/user.py               | 84 ++++++++++++++++++++++++++++++++++++
 3 files changed, 84 insertions(+), 88 deletions(-)

diff --git a/install/share/delegation.ldif b/install/share/delegation.ldif
index 43d13974ffd63ea6ee554c815b911715609149b8..2c712bfc174b3151a5bf69e37ebfe58f2fff96f4 100644
--- a/install/share/delegation.ldif
+++ b/install/share/delegation.ldif
@@ -133,65 +133,6 @@ dn: cn=Host Enrollment,cn=privileges,cn=pbac,$SUFFIX
 # Default permissions.
 ############################################
 
-# User administration
-
-dn: cn=Add Users,cn=permissions,cn=pbac,$SUFFIX
-changetype: add
-objectClass: top
-objectClass: groupofnames
-objectClass: ipapermission
-cn: Add Users
-member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX
-
-dn: cn=Change a user password,cn=permissions,cn=pbac,$SUFFIX
-changetype: add
-objectClass: top
-objectClass: groupofnames
-objectClass: ipapermission
-cn: Change a user password
-member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX
-
-dn: cn=Add user to default group,cn=permissions,cn=pbac,$SUFFIX
-changetype: add
-objectClass: top
-objectClass: groupofnames
-objectClass: ipapermission
-cn: Add user to default group
-member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX
-
-dn: cn=Unlock user accounts,cn=permissions,cn=pbac,$SUFFIX
-changetype: add
-objectclass: top
-objectclass: groupofnames
-objectClass: ipapermission
-cn: Unlock user accounts
-member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX
-member: cn=admins,cn=groups,cn=accounts,$SUFFIX
-
-dn: cn=Remove Users,cn=permissions,cn=pbac,$SUFFIX
-changetype: add
-objectClass: top
-objectClass: groupofnames
-objectClass: ipapermission
-cn: Remove Users
-member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX
-
-dn: cn=Modify Users,cn=permissions,cn=pbac,$SUFFIX
-changetype: add
-objectClass: top
-objectClass: groupofnames
-objectClass: ipapermission
-cn: Modify Users
-member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX
-
-dn: cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,$SUFFIX
-changetype: add
-objectClass: top
-objectClass: groupofnames
-objectClass: ipapermission
-cn: Manage User SSH Public Keys
-member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX
-
 # Group administration
 
 dn: cn=Add Groups,cn=permissions,cn=pbac,$SUFFIX
@@ -521,19 +462,6 @@ dn: cn=Modify DNA Range,cn=permissions,cn=pbac,$SUFFIX
 # Default permissions (ACIs)
 ############################################
 
-# User administration
-
-dn: $SUFFIX
-changetype: modify
-add: aci
-aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,$SUFFIX";)
-aci: (targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,$SUFFIX))")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX";)(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,$SUFFIX";)
-aci: (targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,$SUFFIX";)
-aci: (targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,$SUFFIX";)
-aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,$SUFFIX";)
-aci: (targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,$SUFFIX";)
-aci: (targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,$SUFFIX";)
-
 # Group administration
 
 dn: $SUFFIX
diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update
index 3f3b98799acfc7c5ae7218c3de682db35b815d2e..7c3a284b8d2a0592240e56d8118c821a25fc7798 100644
--- a/install/updates/40-delegation.update
+++ b/install/updates/40-delegation.update
@@ -307,14 +307,6 @@ dn: $SUFFIX
 replace:aci:'(target = "ldap:///automountkey=*,automountmapname=*,cn=automount,$SUFFIX";)(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,$SUFFIX";)::(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,$SUFFIX";)(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,$SUFFIX";)'
 replace:aci:'(target = "ldap:///automountkey=*,automountmapname=*,cn=automount,$SUFFIX";)(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,$SUFFIX";)::(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,$SUFFIX";)(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,$SUFFIX";)'
 
-# SSH public keys
-dn: cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,$SUFFIX
-default:objectClass: top
-default:objectClass: groupofnames
-default:objectClass: ipapermission
-default:cn: Manage User SSH Public Keys
-default:member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX
-
 dn: cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,$SUFFIX
 default:objectClass: top
 default:objectClass: groupofnames
@@ -323,16 +315,8 @@ dn: cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,$SUFFIX
 default:member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX
 
 dn: $SUFFIX
-add:aci:'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,$SUFFIX";)'
-
-dn: $SUFFIX
 add:aci:'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,$SUFFIX";)'
 
-# Limit the change password permission so it can't change the passwords
-# of administrators
-dn: $SUFFIX
-replace:aci:'(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX";)(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,$SUFFIX";)::(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,$SUFFIX))")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX";)(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,$SUFFIX";)'
-
 # Don't allow the default 'manage group membership' to be able to manage the
 # admins group
 replace:aci:'(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,$SUFFIX";)::(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,$SUFFIX";)'
diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py
index 27ad36b7fdbee5b2c0dba10f1c381233e8059150..59f57535620c2c6f1d215425229e59bddf588051 100644
--- a/ipalib/plugins/user.py
+++ b/ipalib/plugins/user.py
@@ -336,6 +336,90 @@ class user(LDAPObject):
             'ipapermdefaultattr': {'*'},
             'default_privileges': {'User Administrators'},
         },
+        'System: Add Users': {
+            'ipapermbindruletype': 'permission',
+            'ipapermright': {'add'},
+            'replaces': [
+                '(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,$SUFFIX";)',
+            ],
+            'default_privileges': {'User Administrators'},
+        },
+        'System: Add User to default group': {
+            'non_object': True,
+            'ipapermbindruletype': 'permission',
+            'ipapermright': {'write'},
+            'ipapermlocation': DN('cn=ipausers', 'cn=groups', 'cn=accounts',
+                                  api.env.basedn),
+            'ipapermdefaultattr': {'member'},
+            'replaces': [
+                '(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,$SUFFIX";)',
+            ],
+            'default_privileges': {'User Administrators'},
+        },
+        'System: Change User password': {
+            'ipapermbindruletype': 'permission',
+            'ipapermright': {'write'},
+            'ipapermtargetfilter': [
+                '(objectclass=posixaccount)',
+                '(!(memberOf=%s))' % DN('cn=admins',
+                                        api.env.container_group,
+                                        api.env.basedn),
+            ],
+            'ipapermdefaultattr': {
+                'krbprincipalkey', 'passwordhistory', 'sambalmpassword',
+                'sambantpassword', 'userpassword'
+            },
+            'replaces': [
+                '(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX";)(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,$SUFFIX";)',
+                '(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,$SUFFIX))")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX";)(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,$SUFFIX";)',
+            ],
+            'default_privileges': {'User Administrators'},
+        },
+        'System: Manage User SSH Public Keys': {
+            'ipapermbindruletype': 'permission',
+            'ipapermright': {'write'},
+            'ipapermdefaultattr': {'ipasshpubkey'},
+            'replaces': [
+                '(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,$SUFFIX";)',
+            ],
+            'default_privileges': {'User Administrators'},
+        },
+        'System: Modify Users': {
+            'ipapermbindruletype': 'permission',
+            'ipapermright': {'write'},
+            'ipapermdefaultattr': {
+                'businesscategory', 'carlicense', 'cn', 'description',
+                'displayname', 'employeetype', 'facsimiletelephonenumber',
+                'gecos', 'givenname', 'homephone', 'inetuserhttpurl',
+                'initials', 'l', 'labeleduri', 'loginshell', 'manager',
+                'mepmanagedentry', 'mobile', 'objectclass', 'ou', 'pager',
+                'postalcode', 'roomnumber', 'secretary', 'seealso', 'sn', 'st',
+                'street', 'telephonenumber', 'title'
+            },
+            'replaces': [
+                '(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,$SUFFIX";)',
+            ],
+            'default_privileges': {'User Administrators'},
+        },
+        'System: Remove Users': {
+            'ipapermbindruletype': 'permission',
+            'ipapermright': {'delete'},
+            'replaces': [
+                '(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,$SUFFIX";)',
+            ],
+            'default_privileges': {'User Administrators'},
+        },
+        'System: Unlock User': {
+            'ipapermbindruletype': 'permission',
+            'ipapermright': {'write'},
+            'ipapermdefaultattr': {
+                'krblastadminunlock', 'krbloginfailedcount'
+            },
+            'replaces': [
+                '(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,$SUFFIX";)',
+            ],
+            'default_privileges': {'User Administrators'},
+        },
     }
 
     label = _('Users')
-- 
1.9.0

From 06a4d84e9ee08aba3e48b2eb7bfdf6b6cfa0d816 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pvikt...@redhat.com>
Date: Wed, 4 Jun 2014 15:35:31 +0200
Subject: [PATCH] Add nsAccountLock to the Unlock user accounts permission

https://fedorahosted.org/freeipa/ticket/3697
---
 ipalib/plugins/user.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py
index 59f57535620c2c6f1d215425229e59bddf588051..dd8de95745490adc26a0a364a47673b3f48922ec 100644
--- a/ipalib/plugins/user.py
+++ b/ipalib/plugins/user.py
@@ -413,7 +413,7 @@ class user(LDAPObject):
             'ipapermbindruletype': 'permission',
             'ipapermright': {'write'},
             'ipapermdefaultattr': {
-                'krblastadminunlock', 'krbloginfailedcount'
+                'krblastadminunlock', 'krbloginfailedcount', 'nsaccountlock',
             },
             'replaces': [
                 '(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,$SUFFIX";)',
-- 
1.9.0

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to