On 06/11/2015 03:55 PM, David Kupka wrote: > Dne 11.6.2015 v 14:12 thierry bordaz napsal(a): >> On 06/10/2015 02:14 PM, David Kupka wrote: >>> https://fedorahosted.org/freeipa/ticket/5057 >> Hello David, >> >> The patch looks ok except it removes a permission to update 'uid' from >> an active user. This permission is required to delete(preserve) an >> active user. >> >> - # Active container >> - # >> - # Stage user administrators need write right on RDN when >> - # the active user is deleted (preserved) >> - 'System: Write Active Users RDN by administrators': { >> - 'ipapermlocation': DN(baseuser.active_container_dn, >> api.env.basedn), >> - 'ipapermbindruletype': 'permission', >> - 'ipapermtarget': DN('uid=*', >> baseuser.active_container_dn, api.env.basedn), >> - 'ipapermtargetfilter': {'(objectclass=posixaccount)'}, >> - 'ipapermright': {'write'}, >> - 'ipapermdefaultattr': {'uid'}, >> - 'default_privileges': {'Stage User Administrators'}, >> - }, >> - # >> >> I prepared a new patch (attached) with that permission and it makes >> 'user-del --preserve' happy. >> Now I think the name would rather be something like: 'System: Preserve >> an active user (user-del --preserve)' >> >> I also added back this comment in two permissions 'Note: targetfilter is >> the target parent container'. >> This was to say that the targetfilter setting was intentional. >> If you think it is not the right place, you may remove those comments. >> >> Thanks >> thierry >> > > Hello Thierry, > Indeed, I accidentally removed these. Thank you for careful review. > Rebase is needed but it is due to change in VERSION and is useless to do it > before push as there are too much patches going to master right now. > Martin, are you (as a reporter) OK with the patch? >
Not entirely. I still see some weird permission in stageuser.py: # # Active container # # Stage user administrators need write right on RDN when # the active user is deleted (preserved) 'System: Write Active Users RDN by administrators': { 'ipapermlocation': DN(baseuser.active_container_dn, api.env.basedn), 'ipapermbindruletype': 'permission', 'ipapermtarget': DN('uid=*', baseuser.active_container_dn, api.env.basedn), 'ipapermtargetfilter': {'(objectclass=posixaccount)'}, 'ipapermright': {'write'}, 'ipapermdefaultattr': {'uid'}, 'default_privileges': {'Stage User Administrators'}, }, This was supposed to be ""System: Modify User RDN". When the name is also fixed, I am fine. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code