#4486 host identity does not have permission to view all groups
Closed: Invalid None Opened 9 years ago by rmeggins.

With IPA 4, the host identity no longer has permission to view all groups. One way this shows up as problem is with sssd and deref searches for memberof - the deref search can no longer get the objectclass attributes from the dereferenced memberof DNs.


These are the objects a host is no longer allowed to read:

# memberof: cn=replication administrators,cn=privileges,cn=pbac,dc=younglogic
 ,dc=net

# memberof: cn=add replication agreements,cn=permissions,cn=pbac,dc=younglogi
 c,dc=net

# memberof: cn=modify replication agreements,cn=permissions,cn=pbac,dc=youngl
 ogic,dc=net

# memberof: cn=remove replication agreements,cn=permissions,cn=pbac,dc=youngl
 ogic,dc=net

# memberof: cn=modify dna range,cn=permissions,cn=pbac,dc=younglogic,dc=net

# memberof: cn=system: read replication agreements,cn=permissions,cn=pbac,dc=
 younglogic,dc=net

# memberof: cn=host enrollment,cn=privileges,cn=pbac,dc=younglogic,dc=net

# memberof: cn=system: add krbprincipalname to a host,cn=permissions,cn=pbac,
 dc=younglogic,dc=net

# memberof: cn=system: enroll a host,cn=permissions,cn=pbac,dc=younglogic,dc=
 net

# memberof: cn=system: manage host certificates,cn=permissions,cn=pbac,dc=you
 nglogic,dc=net

# memberof: cn=system: manage host enrollment password,cn=permissions,cn=pbac
 ,dc=younglogic,dc=net

# memberof: cn=system: manage host keytab,cn=permissions,cn=pbac,dc=younglogi
 c,dc=net

I realize these are not user groups per se, but is there a reason IPA 3.5 allowed to read those groups and 4.x does not?

This are FreeIPA permissions and privileges objects that define the RBAC model for managing FreeIPA LDAP database. During Permissions V2 feature (#3566) development, we disabled anonymous reading of permissions, privileges and roles on purpose.

User needs to be member of Delegation Administrator role to be able to read those.

I received no complains - closing as wontfix.

Metadata Update from @rmeggins:
- Issue assigned to someone
- Issue set to the milestone: 0.0 NEEDS_TRIAGE

7 years ago

Login to comment on this ticket.

Metadata