On 01/13/2017 06:24 PM, thierry bordaz wrote:
I think we need a 389-ds ticket as well. Looking into it, the aci code
contains parts to construct a template entry to evaluate access to a non
existent entry, but it is not called because either entries are found
and processed or the search returns no such object.
The option specifies the value of 'objectclass' attribute during the
GER. That is evaluated at attributeLevelRights but not at the
entryLevelRights. I was not able to fix the test case using this option.
For information I opened that ticket
It should be possible to make this work.
On 01/13/2017 11:01 AM, Ludwig Krispenz wrote:
if you look at:
then it looks like you can provide GER a bit of information eg
objectclass of the new entry, so that the existing aci would be
selected. Maybe can_add can be extended.
On 01/13/2017 09:12 AM, thierry bordaz wrote:
I failed to reproduce you test case, I mean the aci granted the add
right to a group member to ADD an entry with the filtered attribute.
Now I have a doubt to test attribute valule on an entry that does
not yet exist.
Would you run /usr/lib64/mozldap/ldapsearch -D "cn=directory
manager" W -b "cn=cas,cn=ca,dc=ipa,dc=local " -J
to get the effective rights under cn=cas,cn=ca,dc=ipa,dc=local
Also you may replay your test case with ACL logs
On 01/13/2017 07:21 AM, Fraser Tweedale wrote:
In ca_add.pre_callback, we have:
if not ldap.can_add(dn[1:]):
`can_add' uses the GetEffectiveRights control to see what rights the
When a user with the 'System: Add CA' permission attempts to add a
CA, the above ACIError gets raised. This is definitely a bug. I
think it is a bug in DS GetEffectiveRights code.
The ACI in play is:
aci: (targetfilter = "(objectclass=ipaca)")(version 3.0;acl
: Add CA";allow (add) groupdn = "ldap:///cn=System: Add
The user definitely has the right membership:
memberof: cn=CA Administrator,cn=roles,cn=accounts,dc=ipa,dc=local
memberof: cn=System: Add CA,cn=permissions,cn=pbac,dc=ipa,dc=local
William suggested I check whether direct vs. indirect membership
made a difference. It does not.
A wild guess is that the algorithm that computes whether the subject
has add access under the given entry does not take the targetfilter
into account. To solve, perhaps we could ignore ACI targetfilter when
computing add access for GER.
Alternatively, is there another way for a user to determine if they
can add an entry at a particular place, without actually doing the
Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code