This is a follow up to #4312. admin user has a powerful write ACI allowing him to write to all non-blacklisted entries and attributes:
aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins, cn=groups,cn=accounts,$SUFFIX";)
However, when global read ACI
aci: (targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenHOTP))(! (objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,$SUFFIX")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)
is removed, he will not be able to for example allowed to search on memberOf attribute and other attributes that will make him incapable of running some commands (like permission-find).
We need to read, search, compare ACI for admins group.
This is needed for 4.0 development, moving to the right milestone.
master:
Metadata Update from @mkosek: - Issue assigned to pviktori - Issue set to the milestone: FreeIPA 4.0 - 2014/04
Login to comment on this ticket.