Sigbjorn Lie via FreeIPA-users wrote: > On 2022-02-17 13:52, Alexander Bokovoy via FreeIPA-users wrote: >> On to, 17 helmi 2022, Sigbjorn Lie-Soland via FreeIPA-users wrote: >>> Hi list, >>> >>> We recenlty upgraded our IPA environment from EL7.9 to EL8.5. And now >>> we are testing out the new Member Manager feature. >>> >>> Adding a usergroup (example: "role-groupmanager") as a MemberManager >>> for another group (example: "role-usergroup-A") yields an error message >>> when the user member of the "role-groupmanager” group (example: >>> “thorleif”) attempts to add/remove users from the group >>> "role-usergroup-A”: >>> >>> "Insufficient access: Insufficient 'write' privilege to the 'member' >>> attribute of entry" >>> >>> If I add the user “thorleif” directly as a MemberManager of the group >>> "role-usergroup-A”, allows him to successfully add and remove users >>> from the group "role-usergroup-A”. >>> >>> I presume this is a bug? Is there a known BZ for this or do you need me >>> to open one? >> >> According to the design document, >> >> ------------------------------------------------------------------- >> Member managers are stored in a new LDAP attribute ``memberManager`` >> with OID 2.16.840.1.113730.3.8.23.1. It is multi-valued and contains >> DNs of users and groups which can manage members of the group. The >> attribute can be added to entries with object class ``ipaUserGroup`` >> or ``ipaHostGroup``. The attribute is indexed and its membership >> controlled by referential integrity postoperation plugin. >> New userattr ACIs grant principals with user DN or group DN in >> ``memberManager`` write permission to the ``member`` attribute of the >> group. >> >> The ``memberManager`` attribute is protected by the generic read and >> modify permissions for each type of group. It is readable by everybody >> with ``System: Read Groups`` / ``System: Read Hostgroups`` permission >> and writable by everybody with ``System: Modify Groups`` / >> ``System: Modify Hostgroups`` permission. >> ------------------------------------------------------------------- >> >> So there are two parts here: ACI and a proper object class >> 'ipaUserGroup' for the group to manage (or 'ipaHostGroup' for host >> group to manage). >> >> Can you check that 'aci' attribute on cn=groups,cn=accounts,$SUFFIX and >> on cn=hostgroups,cn=accounts,$SUFFIX contains the following ACIs: >> >> # Allow member managers to modify members of user groups >> dn: cn=groups,cn=accounts,$SUFFIX >> aci: (targetattr = "member")(targetfilter = >> "(objectclass=ipaUserGroup)")(version 3.0; acl "Allow member managers >> to modify members of user groups"; allow (write) userattr = >> "memberManager#USERDN" or userattr = "memberManager#GROUPDN";) >> >> # Allow member managers to modify members of a host group >> dn: cn=hostgroups,cn=accounts,$SUFFIX >> aci: (targetattr = "member")(targetfilter = >> "(objectclass=ipaHostGroup)")(version 3.0; acl "Allow member managers >> to modify members of host groups"; allow (write) userattr = >> "memberManager#USERDN" or userattr = "memberManager#GROUPDN";) > > > Thank you for the prompt reply! > > I see the following ACI on dn: cn=groups,cn=accounts,$SUFFIX > aci: (targetattr = "member")(targetfilter = > "(objectclass=ipaUserGroup)")(version 3.0; acl "Allow member managers to > modify members of user groups"; allow (write) userattr = > "memberManager#USERDN";) > > This differs from your example which includes both USERDN and GROUPDN in > the ACI, while our ACI includes only USERDN. > > Looking at the ACI for dn: cn=hostgroups,cn=accounts,$SUFFIX results in > the same issue. > aci: (targetattr = "member")(targetfilter = > "(objectclass=ipaHostGroup)")(version 3.0; acl "Allow member managers to > modify members of host groups"; allow (write) userattr = > "memberManager#USERDN";) > > > Is there an existing BZ for this? As we recently upgraded we have just > about all the recent EL8 patches installed.
I couldn't find one. The problem is that the ACIs are defined in two places: install/share/default-aci.ldif install/updates/20-aci.update default-aci.ldif has the ACI including GROUPDN but this isn't applied on upgrades. 20-aci.update has what you are seeing, USERDN only. This will require two fixes: one to add the GROUPDN when the ACI is missing and one to repair existing installs. rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
