ALAHYANE Rachid wrote:
Hi,
I am working with ACIs and I noticed that you forgot to add mail in the
set of attribute that it can be modified :
============================================
ipa aci-find "Modify Users"
---------
aci-find:
---------
(targetattr = "givenName || sn || cn || displayName || title || initials
|| loginShell || gecos || homePhone || mobile || pager ||
facsimileTelephoneNumber || telephoneNumber || street || roomNumber || l
|| st || postalCode || manager || secretary || description || carLicense
|| labeledURI || inetUserHTTPURL || seeAlso || employeeType ||
businessCategory || ou")(target =
"ldap:///uid=*,cn=users,cn=accounts,dc=gamma,dc=domain,dc=org";)(version
3.0;acl "Modify Users";allow (write) groupdn =
"ldap:///cn=modifyusers,cn=taskgroups,cn=accounts,dc=gamma,dc=domain,dc=org";;)
============================================
when i try to fixe this problem I do not know why my ACI is deleted !
============================================
ipa -v aci-mod "Modify Users" --attrs=mail --memberof=ipausers
ipa: INFO: skipping plugin module ipalib.plugins.cert: env.enable_ra is
not True
ipa: INFO: Created connection context.xmlclient
ipa: INFO: aci_mod(u'Modify Users', attrs=(u'mail',), memberof=u'ipausers')
ipa: INFO: Forwarding 'aci_mod' to server
u'https://server.gamma.domain.org/ipa/xml'
ipa: INFO: Destroyed connection context.xmlclient
ipa: ERROR: overlapping arguments and options: ['aciname']
============================================
ipa -v aci-mod --attrs=mail "Modify Users"
ipa: INFO: skipping plugin module ipalib.plugins.cert: env.enable_ra is
not True
ipa: INFO: Created connection context.xmlclient
ipa: INFO: aci_mod(u'Modify Users', attrs=(u'mail',))
ipa: INFO: Forwarding 'aci_mod' to server
u'https://server.gamma.domain.org/ipa/xml'
ipa: INFO: Destroyed connection context.xmlclient
ipa: ERROR: ACI with name "Modify Users" not found
============================================
ipa -v aci-show "Modify Users"
ipa: INFO: skipping plugin module ipalib.plugins.cert: env.enable_ra is
not True
ipa: INFO: Created connection context.xmlclient
ipa: INFO: aci_show(u'Modify Users')
ipa: INFO: Forwarding 'aci_show' to server
u'https://server.gamma.domain.org/ipa/xml'
ipa: INFO: Destroyed connection context.xmlclient
ipa: ERROR: ACI with name "Modify Users" not found
============================================
I am using the v1.9.0 version and I do not know if it is fixed now.
I don't think it's anything you're doing wrong. Looks like a bug in the
aci plugin, I'll take a look.
As an aside though I wouldn't set the ipausers as a memberof on this
ACI. What that will do is allow any user to modify any other user. I
doubt this is what you want.
Even if you did it would be better to add the ipausers group as a member
of the "Modify Users" rolegroup.
rob
_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users
