With IPA 4, the host identity no longer has permission to view all groups. One way this shows up as problem is with sssd and deref searches for memberof - the deref search can no longer get the objectclass attributes from the dereferenced memberof DNs.
These are the objects a host is no longer allowed to read:
# memberof: cn=replication administrators,cn=privileges,cn=pbac,dc=younglogic ,dc=net # memberof: cn=add replication agreements,cn=permissions,cn=pbac,dc=younglogi c,dc=net # memberof: cn=modify replication agreements,cn=permissions,cn=pbac,dc=youngl ogic,dc=net # memberof: cn=remove replication agreements,cn=permissions,cn=pbac,dc=youngl ogic,dc=net # memberof: cn=modify dna range,cn=permissions,cn=pbac,dc=younglogic,dc=net # memberof: cn=system: read replication agreements,cn=permissions,cn=pbac,dc= younglogic,dc=net # memberof: cn=host enrollment,cn=privileges,cn=pbac,dc=younglogic,dc=net # memberof: cn=system: add krbprincipalname to a host,cn=permissions,cn=pbac, dc=younglogic,dc=net # memberof: cn=system: enroll a host,cn=permissions,cn=pbac,dc=younglogic,dc= net # memberof: cn=system: manage host certificates,cn=permissions,cn=pbac,dc=you nglogic,dc=net # memberof: cn=system: manage host enrollment password,cn=permissions,cn=pbac ,dc=younglogic,dc=net # memberof: cn=system: manage host keytab,cn=permissions,cn=pbac,dc=younglogi c,dc=net
I realize these are not user groups per se, but is there a reason IPA 3.5 allowed to read those groups and 4.x does not?
This are FreeIPA permissions and privileges objects that define the RBAC model for managing FreeIPA LDAP database. During Permissions V2 feature (#3566) development, we disabled anonymous reading of permissions, privileges and roles on purpose.
User needs to be member of Delegation Administrator role to be able to read those.
I received no complains - closing as wontfix.
Metadata Update from @rmeggins: - Issue assigned to someone - Issue set to the milestone: 0.0 NEEDS_TRIAGE
Login to comment on this ticket.