https://bugzilla.redhat.com/show_bug.cgi?id=817909 (Red Hat Enterprise Linux 6)
Description of problem: From https://bugzilla.redhat.com/show_bug.cgi?id=783502#c11: The test was to modify a permission to change the attributes, using allowed attributes: ipa permission-mod "Change a user password" --attrs=userpassword,krbprincipalkey,sambalmpassword,passwordhistory the error now is: ipa: ERROR: invalid 'target': type, filter, subtree and targetgroup are mutually exclusive What is it referring to? Same error if I choose to use a non-savvy attr like "abc" ipa permission-mod "Change a user password" --attrs=abc or decide to provide the correct type, but still try to modify attr (with meaningful or non meaningful attrs) # ipa permission-mod "Change a user password" --attrs=abc --type=user ipa: ERROR: invalid 'target': type, filter, subtree and targetgroup are mutually exclusive Version-Release number of selected component (if applicable): ipa-server-2.2.0-12.el6.x86_64 How reproducible: always Steps to Reproduce: 1. Modify attributes of a permission 2. 3. Actual results: unable to modify, and get unrelated error Expected results: be able to modify - if all parameters are provided in command line (to workaround bug 782847) Additional info:
I think we should type, subtree and targetgroup to be combined with filter (I added more details to the linked BZ).
This should be fixed in FreeIPA 3.4 Permissions v2 refactoring in #3566.
I just verified this is no longer a problem:
# ipa permission-show "Change a user password" Permission name: Change a user password Permissions: write Effective attributes: krbprincipalkey, passwordhistory, sambalmpassword, sambantpassword, userpassword Bind rule type: permission Subtree: dc=example,dc=com ACI target filter: (!(memberOf=cn=admins,cn=groups,cn=accounts,dc=example,dc=com)) ACI target DN: uid=*,cn=users,cn=accounts,dc=example,dc=com Granted to Privilege: Modify Users and Reset passwords, User Administrators # ipa permission-mod "Change a user password" --attrs={userpassword,krbprincipalkey,sambalmpassword,passwordhistory} -------------------------------------------- Modified permission "Change a user password" -------------------------------------------- Permission name: Change a user password Permissions: write Effective attributes: krbprincipalkey, passwordhistory, sambalmpassword, userpassword Bind rule type: permission Subtree: dc=example,dc=com ACI target filter: (!(memberOf=cn=admins,cn=groups,cn=accounts,dc=example,dc=com)) ACI target DN: uid=*,cn=users,cn=accounts,dc=example,dc=com Granted to Privilege: Modify Users and Reset passwords, User Administrators
Metadata Update from @mkosek: - Issue assigned to pviktori - Issue set to the milestone: FreeIPA 4.0 - 2014/02
Login to comment on this ticket.