On 06/10/2014 10:13 AM, Martin Kosek wrote:
On 06/09/2014 02:20 PM, Petr Viktorin wrote:
On 06/06/2014 11:38 AM, Martin Kosek wrote:
[...]
4) When running user unit tests, I found couple issues:

a) Some attributes we may still miss in the permissions:
- krbPrincipalExpiration
- userclass
- ipaUserAuthType
- preferredLanguage

I am thinking we could base Modify Users permission on the read one and add
regular attributes there

I put in userclass and preferredLanguage.
I'm not sure about the other two; should regular user admins be able to change
these?

Good question. I think User Administrators should be able to set
krbPrincipalExpiration or ipaUserAuthType, though it is true it may not be part
of regular "Modify Users" permission and we may want to create more permissions.

Simo, does that sound OK?
I can't think of a good name. "Manage User authentication"?

Note that this can go in a later patch.

b) Read membership ACIs for users and groups miss "member" attribute and thus
indirect/direct processing goes wrong.

Added.

1) Hm, I think was not clear enough. memberOf should not be added to users, as
no object should be "member of user". Please revert this change. I originally
thought it is missing in "Read Group Membership" permissions, but it isn't.

We are again hitting the problem of a search operation when we are not allowed
to search on all attributes (the CVE fix). This is the search produced by "ipa
user-show fbar":

[10/Jun/2014:09:59:28 +0200] conn=155 op=5 SRCH base="dc=example,dc=com"
scope=2
filter="(|(member=uid=fbar,cn=users,cn=accounts,dc=example,dc=com)(memberUser=uid=fbar,cn=users,cn=accounts,dc=example,dc=com)(memberHost=uid=fbar,cn=users,cn=accounts,dc=example,dc=com))"
attrs=""
[10/Jun/2014:09:59:28 +0200] conn=155 op=5 RESULT err=0 tag=101 nentries=0 
etime=0

It returns zero results, until I also allow memberUser and memberHost:

# ipa permission-mod 'System: Read Group Membership'
--attrs={member,memberof,memberuid,memberuser,memberhost}

Now I get the results:

[10/Jun/2014:10:04:25 +0200] conn=160 op=5 SRCH base="dc=example,dc=com"
scope=2
filter="(|(member=uid=fbar,cn=users,cn=accounts,dc=example,dc=com)(memberUser=uid=fbar,cn=users,cn=accounts,dc=example,dc=com)(memberHost=uid=fbar,cn=users,cn=accounts,dc=example,dc=com))"
attrs=""
[10/Jun/2014:10:04:25 +0200] conn=160 op=5 RESULT err=0 tag=101 nentries=1 
etime=0

ipa user-show fbar
...
   Member of groups: ipausers    <<<<<
   Indirect Member of role: test
...

User still cannot see if he is direct or indirect member of role, but this may
not be a problem.

The easiest approach solution may be to update all "Read * Membership"
permissions/ACIs to always contain member&memberuser&memberhost unless we want
to again produce multiple LDAP searches for checking direct/indirect membership.

Ah, now I see what you mean.

So: a read permission that includes any of these 3 should include all of them. It would make sense for makeaci to enforce this, so I'll include it in the other patchset.


2) Installation produces update errors:

ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR    Add failure missing
required attribute "objectclass"
ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR    Add failure missing
required attribute "objectclass"

Problem is in install/updates/45-roles.update, permissions you converted still
have "member" update here.

dn: cn=Change a user password,cn=permissions,cn=pbac,$SUFFIX
add:member: 'cn=Modify Users and Reset passwords,cn=privileges,cn=pbac,$SUFFIX'

dn: cn=Modify Users,cn=permissions,cn=pbac,$SUFFIX
add:member: 'cn=Modify Users and Reset passwords,cn=privileges,cn=pbac,$SUFFIX'

Speaking if which, this privilege also needs to be added to default privileges
of the managed permissions.

Thanks for the catch.

--
PetrĀ³

From 8b44bca76cb73aa0b0bc14e165c4462885b9b2a7 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pvikt...@redhat.com>
Date: Wed, 4 Jun 2014 16:11:30 +0200
Subject: [PATCH] managed perm updater: Handle case where we changed default
 ACIs in the past

This handles the case where IPA's default ACIs changed in something else
than just attribute lists.
In this case we can narrow the set of ACIs we think the user might be
upgrading from.

Part of the work for: https://fedorahosted.org/freeipa/ticket/4346
---
 .../install/plugins/update_managed_permissions.py    | 20 ++++++++++++++++++--
 1 file changed, 18 insertions(+), 2 deletions(-)

diff --git a/ipaserver/install/plugins/update_managed_permissions.py b/ipaserver/install/plugins/update_managed_permissions.py
index 13433d353cd09de77029fd76f7070bf79a432774..e6f852c09d1a732109da5d56320192d4e617ab38 100644
--- a/ipaserver/install/plugins/update_managed_permissions.py
+++ b/ipaserver/install/plugins/update_managed_permissions.py
@@ -408,11 +408,20 @@ def get_upgrade_attr_lists(self, current_acistring, default_acistrings):
         An attribute will be included if the user has it in LDAP but it does
         not appear in *any* historic ACI.
         It will be excluded if it is in *all* historic ACIs but not in LDAP.
+        Rationale: When we don't know which version of an ACI the user is
+        upgrading from, we only consider attributes where all the versions
+        agree. For other attrs we'll use the default from the new managed perm.
 
         If the ACIs differ in something else than the list of attributes,
         raise IncompatibleACIModification. This means manual action is needed
         (either delete the old permission or change it to resemble the default
-        again, then re-run ipa-ldap-updater)
+        again, then re-run ipa-ldap-updater).
+
+        In case there are multiple historic default ACIs, and some of them
+        are compatible with the current but other ones aren't, we deduce that
+        the user is upgrading from one of the compatible ones.
+        The incompatible ones are removed from consideration, both for
+        compatibility and attribute lists.
         """
         assert default_acistrings
 
@@ -434,6 +443,7 @@ def _pop_targetattr(aci):
 
         attrs_in_all_defaults = None
         attrs_in_any_defaults = set()
+        all_incompatible = True
         for default_acistring in default_acistrings:
             default_aci = ACI(default_acistring)
             default_attrs = _pop_targetattr(default_aci)
@@ -442,7 +452,9 @@ def _pop_targetattr(aci):
 
             if current_aci != default_aci:
                 self.log.debug('ACIs not compatible')
-                raise(IncompatibleACIModification())
+                continue
+            else:
+                all_incompatible = False
 
             if attrs_in_all_defaults is None:
                 attrs_in_all_defaults = set(default_attrs)
@@ -450,6 +462,10 @@ def _pop_targetattr(aci):
                 attrs_in_all_defaults &= attrs_in_all_defaults
             attrs_in_any_defaults |= default_attrs
 
+        if all_incompatible:
+            self.log.debug('All old default ACIs are incompatible')
+            raise(IncompatibleACIModification())
+
         included = current_attrs - attrs_in_any_defaults
         excluded = attrs_in_all_defaults - current_attrs
 
-- 
1.9.0

From ab61b89b6340f0a9f8d6833856c1d4ca7b394d65 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pvikt...@redhat.com>
Date: Wed, 4 Jun 2014 15:21:26 +0200
Subject: [PATCH] Convert User default permissions to managed

Part of the work for: https://fedorahosted.org/freeipa/ticket/4346
---
 install/share/delegation.ldif        | 72 ----------------------------
 install/updates/40-delegation.update | 16 -------
 install/updates/45-roles.update      |  6 ---
 ipalib/plugins/user.py               | 91 ++++++++++++++++++++++++++++++++++++
 4 files changed, 91 insertions(+), 94 deletions(-)

diff --git a/install/share/delegation.ldif b/install/share/delegation.ldif
index 43d13974ffd63ea6ee554c815b911715609149b8..2c712bfc174b3151a5bf69e37ebfe58f2fff96f4 100644
--- a/install/share/delegation.ldif
+++ b/install/share/delegation.ldif
@@ -133,65 +133,6 @@ dn: cn=Host Enrollment,cn=privileges,cn=pbac,$SUFFIX
 # Default permissions.
 ############################################
 
-# User administration
-
-dn: cn=Add Users,cn=permissions,cn=pbac,$SUFFIX
-changetype: add
-objectClass: top
-objectClass: groupofnames
-objectClass: ipapermission
-cn: Add Users
-member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX
-
-dn: cn=Change a user password,cn=permissions,cn=pbac,$SUFFIX
-changetype: add
-objectClass: top
-objectClass: groupofnames
-objectClass: ipapermission
-cn: Change a user password
-member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX
-
-dn: cn=Add user to default group,cn=permissions,cn=pbac,$SUFFIX
-changetype: add
-objectClass: top
-objectClass: groupofnames
-objectClass: ipapermission
-cn: Add user to default group
-member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX
-
-dn: cn=Unlock user accounts,cn=permissions,cn=pbac,$SUFFIX
-changetype: add
-objectclass: top
-objectclass: groupofnames
-objectClass: ipapermission
-cn: Unlock user accounts
-member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX
-member: cn=admins,cn=groups,cn=accounts,$SUFFIX
-
-dn: cn=Remove Users,cn=permissions,cn=pbac,$SUFFIX
-changetype: add
-objectClass: top
-objectClass: groupofnames
-objectClass: ipapermission
-cn: Remove Users
-member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX
-
-dn: cn=Modify Users,cn=permissions,cn=pbac,$SUFFIX
-changetype: add
-objectClass: top
-objectClass: groupofnames
-objectClass: ipapermission
-cn: Modify Users
-member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX
-
-dn: cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,$SUFFIX
-changetype: add
-objectClass: top
-objectClass: groupofnames
-objectClass: ipapermission
-cn: Manage User SSH Public Keys
-member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX
-
 # Group administration
 
 dn: cn=Add Groups,cn=permissions,cn=pbac,$SUFFIX
@@ -521,19 +462,6 @@ dn: cn=Modify DNA Range,cn=permissions,cn=pbac,$SUFFIX
 # Default permissions (ACIs)
 ############################################
 
-# User administration
-
-dn: $SUFFIX
-changetype: modify
-add: aci
-aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,$SUFFIX";)
-aci: (targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,$SUFFIX))")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX";)(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,$SUFFIX";)
-aci: (targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,$SUFFIX";)
-aci: (targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,$SUFFIX";)
-aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,$SUFFIX";)
-aci: (targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,$SUFFIX";)
-aci: (targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,$SUFFIX";)
-
 # Group administration
 
 dn: $SUFFIX
diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update
index 3f3b98799acfc7c5ae7218c3de682db35b815d2e..7c3a284b8d2a0592240e56d8118c821a25fc7798 100644
--- a/install/updates/40-delegation.update
+++ b/install/updates/40-delegation.update
@@ -307,14 +307,6 @@ dn: $SUFFIX
 replace:aci:'(target = "ldap:///automountkey=*,automountmapname=*,cn=automount,$SUFFIX";)(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,$SUFFIX";)::(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,$SUFFIX";)(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,$SUFFIX";)'
 replace:aci:'(target = "ldap:///automountkey=*,automountmapname=*,cn=automount,$SUFFIX";)(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,$SUFFIX";)::(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,$SUFFIX";)(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,$SUFFIX";)'
 
-# SSH public keys
-dn: cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,$SUFFIX
-default:objectClass: top
-default:objectClass: groupofnames
-default:objectClass: ipapermission
-default:cn: Manage User SSH Public Keys
-default:member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX
-
 dn: cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,$SUFFIX
 default:objectClass: top
 default:objectClass: groupofnames
@@ -323,16 +315,8 @@ dn: cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,$SUFFIX
 default:member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX
 
 dn: $SUFFIX
-add:aci:'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,$SUFFIX";)'
-
-dn: $SUFFIX
 add:aci:'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,$SUFFIX";)'
 
-# Limit the change password permission so it can't change the passwords
-# of administrators
-dn: $SUFFIX
-replace:aci:'(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX";)(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,$SUFFIX";)::(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,$SUFFIX))")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX";)(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,$SUFFIX";)'
-
 # Don't allow the default 'manage group membership' to be able to manage the
 # admins group
 replace:aci:'(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,$SUFFIX";)::(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,$SUFFIX";)'
diff --git a/install/updates/45-roles.update b/install/updates/45-roles.update
index 3803cee3bfb0dadf07f9fac88e1ab797226a909f..a3cbf4ddc3cc77fe6ed006333b03e341c4f99fc4 100644
--- a/install/updates/45-roles.update
+++ b/install/updates/45-roles.update
@@ -7,12 +7,6 @@ dn: cn=Modify Users and Reset passwords,cn=privileges,cn=pbac,$SUFFIX
 default:description: Modify Users and Reset passwords
 default:member: cn=helpdesk,cn=roles,cn=accounts,$SUFFIX
 
-dn: cn=Change a user password,cn=permissions,cn=pbac,$SUFFIX
-add:member: 'cn=Modify Users and Reset passwords,cn=privileges,cn=pbac,$SUFFIX'
-
-dn: cn=Modify Users,cn=permissions,cn=pbac,$SUFFIX
-add:member: 'cn=Modify Users and Reset passwords,cn=privileges,cn=pbac,$SUFFIX'
-
 dn: cn=Modify Group membership,cn=privileges,cn=pbac,$SUFFIX
 default:objectClass: top
 default:objectClass: groupofnames
diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py
index 27ad36b7fdbee5b2c0dba10f1c381233e8059150..071cda5aacc77c2f9d1efb619ead8f823bcff81c 100644
--- a/ipalib/plugins/user.py
+++ b/ipalib/plugins/user.py
@@ -336,6 +336,97 @@ class user(LDAPObject):
             'ipapermdefaultattr': {'*'},
             'default_privileges': {'User Administrators'},
         },
+        'System: Add Users': {
+            'ipapermbindruletype': 'permission',
+            'ipapermright': {'add'},
+            'replaces': [
+                '(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,$SUFFIX";)',
+            ],
+            'default_privileges': {'User Administrators'},
+        },
+        'System: Add User to default group': {
+            'non_object': True,
+            'ipapermbindruletype': 'permission',
+            'ipapermright': {'write'},
+            'ipapermlocation': DN(api.env.container_group, api.env.basedn),
+            'ipapermtarget': DN('cn=ipausers', api.env.container_group,
+                                api.env.basedn),
+            'ipapermdefaultattr': {'member'},
+            'replaces': [
+                '(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,$SUFFIX";)',
+            ],
+            'default_privileges': {'User Administrators'},
+        },
+        'System: Change User password': {
+            'ipapermbindruletype': 'permission',
+            'ipapermright': {'write'},
+            'ipapermtargetfilter': [
+                '(objectclass=posixaccount)',
+                '(!(memberOf=%s))' % DN('cn=admins',
+                                        api.env.container_group,
+                                        api.env.basedn),
+            ],
+            'ipapermdefaultattr': {
+                'krbprincipalkey', 'passwordhistory', 'sambalmpassword',
+                'sambantpassword', 'userpassword'
+            },
+            'replaces': [
+                '(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX";)(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,$SUFFIX";)',
+                '(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,$SUFFIX))")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX";)(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,$SUFFIX";)',
+            ],
+            'default_privileges': {
+                'User Administrators',
+                'Modify Users and Reset passwords',
+            },
+        },
+        'System: Manage User SSH Public Keys': {
+            'ipapermbindruletype': 'permission',
+            'ipapermright': {'write'},
+            'ipapermdefaultattr': {'ipasshpubkey'},
+            'replaces': [
+                '(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,$SUFFIX";)',
+            ],
+            'default_privileges': {'User Administrators'},
+        },
+        'System: Modify Users': {
+            'ipapermbindruletype': 'permission',
+            'ipapermright': {'write'},
+            'ipapermdefaultattr': {
+                'businesscategory', 'carlicense', 'cn', 'description',
+                'displayname', 'employeetype', 'facsimiletelephonenumber',
+                'gecos', 'givenname', 'homephone', 'inetuserhttpurl',
+                'initials', 'l', 'labeleduri', 'loginshell', 'manager',
+                'mepmanagedentry', 'mobile', 'objectclass', 'ou', 'pager',
+                'postalcode', 'roomnumber', 'secretary', 'seealso', 'sn', 'st',
+                'street', 'telephonenumber', 'title'
+            },
+            'replaces': [
+                '(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,$SUFFIX";)',
+            ],
+            'default_privileges': {
+                'User Administrators',
+                'Modify Users and Reset passwords',
+            },
+        },
+        'System: Remove Users': {
+            'ipapermbindruletype': 'permission',
+            'ipapermright': {'delete'},
+            'replaces': [
+                '(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,$SUFFIX";)',
+            ],
+            'default_privileges': {'User Administrators'},
+        },
+        'System: Unlock User': {
+            'ipapermbindruletype': 'permission',
+            'ipapermright': {'write'},
+            'ipapermdefaultattr': {
+                'krblastadminunlock', 'krbloginfailedcount'
+            },
+            'replaces': [
+                '(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,$SUFFIX";)',
+            ],
+            'default_privileges': {'User Administrators'},
+        },
     }
 
     label = _('Users')
-- 
1.9.0

From 07dc0bebdd85292cea2e14d918617eb0cbc8a3b7 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pvikt...@redhat.com>
Date: Wed, 4 Jun 2014 15:35:31 +0200
Subject: [PATCH] Add missing attributes to User managed permissions

- Add nsAccountLock to the Unlock user accounts permission
- Add member to Read User Membership
- Add userClass and preferredLanguage to Modify Users

https://fedorahosted.org/freeipa/ticket/3697
---
 ipalib/plugins/user.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py
index 071cda5aacc77c2f9d1efb619ead8f823bcff81c..4eb35bd84f1bda4d9999efecf244d1f58d190747 100644
--- a/ipalib/plugins/user.py
+++ b/ipalib/plugins/user.py
@@ -398,7 +398,8 @@ class user(LDAPObject):
                 'initials', 'l', 'labeleduri', 'loginshell', 'manager',
                 'mepmanagedentry', 'mobile', 'objectclass', 'ou', 'pager',
                 'postalcode', 'roomnumber', 'secretary', 'seealso', 'sn', 'st',
-                'street', 'telephonenumber', 'title'
+                'street', 'telephonenumber', 'title', 'userclass',
+                'preferredlanguage',
             },
             'replaces': [
                 '(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,$SUFFIX";)',
@@ -420,7 +421,7 @@ class user(LDAPObject):
             'ipapermbindruletype': 'permission',
             'ipapermright': {'write'},
             'ipapermdefaultattr': {
-                'krblastadminunlock', 'krbloginfailedcount'
+                'krblastadminunlock', 'krbloginfailedcount', 'nsaccountlock',
             },
             'replaces': [
                 '(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,$SUFFIX";)',
-- 
1.9.0

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to