On 09/06/15 13:05, Martin Basti wrote:
On 09/06/15 12:58, Martin Basti wrote:
On 08/06/15 20:59, nat...@nathanpeters.com wrote:
I am trying my best to figure out why any FreeIPA internal
'administrators' that I create cannot search DNS entries.
The builtin admin user can search and get results for DNS entries just
fine, but we would rather not share this account with every sysadmin in
I have created a new role called "Super Admin". On the privileges
this user, I have added every single privlege in the 'Add' menu. This
role now has all 29 privileges defined on the system. However, even
assigned a user to have this role, and loggging out and back in
cannot search DNS entries. He can see every dns entry if he manually
pages through them one at a time (we have several thousand so this
workable as you would have to scroll through hundreds of pages). The
problem is any search always returns zero entries.
I though maybe something was missing so I created a new privilege
"All privileges". I then tried to add each individual permission to
privilege. I could only add 76 permissions. All other permissions
give the following error when I try to add them : "invalid
cannot add permission "System: Read Automount Configuration" with
"anonymous" to a privilege"
I can see if I go to the permissions menu that there are actually 174
possible permissions so to only be able to add 76 of them seems really
So my questions are :
1)Why can a user with 'all' privileges not search DNS entries?
2)Why am I only able to add 76 out of the 174 permissions to a
3)Is there anything that can be done to allow a user that is not the
builtin 'admin' user to search dns entries or actually be alloted all
permissions on the system?
which version of IPA do you use?
I was able to find all zones with new user on IPA 4.1.
I just add the 'DNS administrators' privilege for the new user.
I reproduce this issue, IMO it is not related to permissions, but the
search command itself, I will investigate.
Indeed you were right, there is wrong filter, which is denied by ACI.
Thank you for this bug report.
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project