freeipa

Clone
Source Code
GIT

#5911 Insufficient 'write' privilege on some attributes for the members of the role which has "User Administrators" privilege.
Closed: Fixed None Opened 7 years ago by mbasti.

Closed: Fixed
Reopen Issue

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1338031

Description of problem:

Not able to edit the employeenumber,email,departnumber attributes as a user
which is added to the role having the "User Administrators" privilege.

Getting the error like below :

ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the
'employeeNumber' attribute of entry
'uid=ipauser,cn=users,cn=accounts,dc=redhat,dc=com'.


Steps to Reproduce :

1. Create an user in IPA with the kerberos principal of admin.

  # kinit admin

  # ipa user-add abhinayreddy --password

2. Create a new role in IPA.

   # ipa role-add usermodifier

3. Add "User Administrators" privilege to the new role created.

   # ipa role-add-privilege --privileges="User Administrators" usermodifier

4. Add new user created as a member of the role.

   # ipa role-add-member --users=abhinayreddy usermodifier

5. Get the kerberos principal for the user "abhinayreddy".

   # kinit abhinayreddy

6. Try to modify the employeenumber or email or departnumber of the user
"ipauser"

   # ipa user-mod --employeenumber=123 ipauser

   # ipa user-mod --departnumbernumber=12345 ipauser

   # ipa user-mod --email=rd@redhat.com ipauser


Actual results:

Getting below error -

ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the
'employeeNumber' attribute of entry
'uid=ipauser,cn=users,cn=accounts,dc=redhat,dc=com'.

ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the
'departmentNumber' attribute of entry
'uid=ipauser,cn=users,cn=accounts,dc=redhat,dc=com'.

ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'mail'
attribute of entry 'uid=ipauser,cn=users,cn=accounts,dc=redhat,dc=com'.



Expected results:

User "abhinayreddy" should be able to modify the employeenumber,email and
departnumber attributes of the user "ipauser".


# ipa user-mod --employeenumber=123 ipauser
----------------------------
Modified user "ipauser"
----------------------------
  User login: ipauser
  First name: ipa
  Last name: user
  Home directory: /home/ipauser
  Login shell: /bin/sh
  Email address: ipauser@gsslab.pnq.redhat.com
  UID: 659600018
  GID: 659600018
  Account disabled: False
  Employee Number: 123
  Password: True
  Member of groups: ipausers
  Roles: usermodifier
  Kerberos keys available: True


# ipa user-mod --departnumber=122 ipauser
----------------------------
Modified user "ipauser"
----------------------------
  User login: ipauser
  First name: ipa
  Last name: user
  Home directory: /home/ipauser
  Login shell: /bin/sh
  Email address: ipauser@gsslab.pnq.redhat.com
  UID: 659600018
  GID: 659600018
  Account disabled: False
  Department Number: 122
  Password: True
  Member of groups: ipausers
  Roles: usermodifier
  Kerberos keys available: True


# ipa user-mod --email=ipauser@redhat.com ipauser
----------------------------
Modified user "ipauser"
----------------------------
  User login: ipauser
  First name: ipa
  Last name: user
  Home directory: /home/ipauser
  Login shell: /bin/sh
  Email address: ipauser@gsslab.pnq.redhat.com
  UID: 659600018
  GID: 659600018
  Account disabled: False
  Password: True
  Member of groups: ipausers
  Roles: usermodifier
  Kerberos keys available: True


Additional info:

May be this is helpful :

I can see that there are no write permission defined for these attributes in
permissions of Modify Users.


# System: Modify Users, permissions, pbac, gsslab.pnq.redhat.com
dn: cn=System: Modify Users,cn=permissions,cn=pbac,dc=gsslab,dc=pnq,dc=redhat,
 dc=com
ipaPermTargetFilter: (objectclass=posixaccount)
ipaPermRight: write
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Modify Users
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=User Administrators,cn=privileges,cn=pbac,dc=gsslab,dc=pnq,dc=redha
 t,dc=com
member: cn=Modify Users and Reset passwords,cn=privileges,cn=pbac,dc=gsslab,dc
 =pnq,dc=redhat,dc=com
ipaPermDefaultAttr: telephonenumber
ipaPermDefaultAttr: cn
ipaPermDefaultAttr: labeleduri
ipaPermDefaultAttr: manager
ipaPermDefaultAttr: street
ipaPermDefaultAttr: displayname
ipaPermDefaultAttr: homephone
ipaPermDefaultAttr: title
ipaPermDefaultAttr: facsimiletelephonenumber
ipaPermDefaultAttr: loginshell
ipaPermDefaultAttr: employeetype
ipaPermDefaultAttr: description
ipaPermDefaultAttr: businesscategory
ipaPermDefaultAttr: preferredlanguage
ipaPermDefaultAttr: roomnumber
ipaPermDefaultAttr: mepmanagedentry
ipaPermDefaultAttr: carlicense
ipaPermDefaultAttr: postalcode
ipaPermDefaultAttr: givenname
ipaPermDefaultAttr: pager
ipaPermDefaultAttr: seealso
ipaPermDefaultAttr: objectclass
ipaPermDefaultAttr: inetuserhttpurl
ipaPermDefaultAttr: l
ipaPermDefaultAttr: st
ipaPermDefaultAttr: mobile
ipaPermDefaultAttr: gecos
ipaPermDefaultAttr: sn
ipaPermDefaultAttr: ou
ipaPermDefaultAttr: secretary
ipaPermDefaultAttr: userclass
ipaPermDefaultAttr: initials
ipaPermLocation: cn=users,cn=accounts,dc=redhat,dc=com

Missing attributes should be added to related permissions

master:

  • 1ce63e6 Added some attributes to Modify Users permission

Metadata Update from @mbasti:
- Issue assigned to stlaz
- Issue set to the milestone: FreeIPA 4.4
7 years ago

Login to comment on this ticket.

Metadata
None
None
None
normal
None
None
None
None
defect
None
None
IPA
None
0
easyfix
None
None
None
https://bugzilla.redhat.com/show_bug.cgi?id=1338031
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.