Description of problem:
A permission that specifies a filter, is disregarded, when a user is assigned
that permission.


1> Add a permission:
ipa permission-add "ManageGroup" --filter='(&(!(objectclass=posixgroup))(object
class=ipausergroup))'--permissions=write
2> Add privilege with just this one permission.
3> Add role with just the above privilege
4> Add user and assigned the role above
5> Add a group and uncheck "Is this a POSIX group"
6> kinit as this user
7> Update the group's description, and an error is thrown about having
insufficient access

Expected this user to be able to update the above added group's description, or
add other users as members of this group.
Doc says:
--filter uses an LDAP filter to identify which entries the permission applies
to. All attributes within the matching entries can be modified.


tried another filter -
ipa permission-add "ManageGroup" --filter='(givenname=xyz)' --permissions=write

and expected the kinit'd user with this permission to be able to change
attributes for user with givenname=xyz, but this user is displayed (in UI) as
readonly, and no attributes can be modified.

Version-Release number of selected component (if applicable):
ipa-server-2.2.0-101.20120117T0229zgit5febffb.el6.x86_64

How reproducible:
always

Steps to Reproduce:
1. as indicated above


Actual results:
an error is thrown about having insufficient access

Expected results:
Expected this user to be able to update the above added group's description, or
add other users as members of this group.

Additional info: