#2718 error indicates a different reason when ipa permission-mod fails to modify attrs
Closed: Fixed None Opened 11 years ago by mkosek.

https://bugzilla.redhat.com/show_bug.cgi?id=817909 (Red Hat Enterprise Linux 6)

Description of problem:
From https://bugzilla.redhat.com/show_bug.cgi?id=783502#c11:
The test was to modify a permission to change the attributes, using allowed
attributes:
ipa permission-mod "Change a user password"
--attrs=userpassword,krbprincipalkey,sambalmpassword,passwordhistory

the error now is:
ipa: ERROR: invalid 'target': type, filter, subtree and targetgroup are
mutually exclusive

What is it referring to?

Same error if I choose to use a non-savvy attr like "abc"
ipa permission-mod "Change a user password" --attrs=abc

or decide to provide the correct type, but still try to modify attr (with
meaningful or non meaningful attrs)
# ipa permission-mod "Change a user password" --attrs=abc --type=user
ipa: ERROR: invalid 'target': type, filter, subtree and targetgroup are
mutually exclusive


Version-Release number of selected component (if applicable):
ipa-server-2.2.0-12.el6.x86_64

How reproducible:
always

Steps to Reproduce:
1. Modify attributes of a permission
2.
3.

Actual results:
unable to modify, and get unrelated error

Expected results:
be able to modify - if all parameters are provided in command line (to
workaround bug 782847)

Additional info:

I think we should type, subtree and targetgroup to be combined with filter (I added more details to the linked BZ).


This should be fixed in FreeIPA 3.4 Permissions v2 refactoring in #3566.

I just verified this is no longer a problem:

# ipa permission-show "Change a user password"
  Permission name: Change a user password
  Permissions: write
  Effective attributes: krbprincipalkey, passwordhistory, sambalmpassword,
                        sambantpassword, userpassword
  Bind rule type: permission
  Subtree: dc=example,dc=com
  ACI target filter: (!(memberOf=cn=admins,cn=groups,cn=accounts,dc=example,dc=com))
  ACI target DN: uid=*,cn=users,cn=accounts,dc=example,dc=com
  Granted to Privilege: Modify Users and Reset passwords, User Administrators

# ipa permission-mod "Change a user password" --attrs={userpassword,krbprincipalkey,sambalmpassword,passwordhistory}
--------------------------------------------
Modified permission "Change a user password"
--------------------------------------------
  Permission name: Change a user password
  Permissions: write
  Effective attributes: krbprincipalkey, passwordhistory, sambalmpassword, userpassword
  Bind rule type: permission
  Subtree: dc=example,dc=com
  ACI target filter: (!(memberOf=cn=admins,cn=groups,cn=accounts,dc=example,dc=com))
  ACI target DN: uid=*,cn=users,cn=accounts,dc=example,dc=com
  Granted to Privilege: Modify Users and Reset passwords, User Administrators

Metadata Update from @mkosek:
- Issue assigned to pviktori
- Issue set to the milestone: FreeIPA 4.0 - 2014/02

7 years ago

Login to comment on this ticket.

Metadata