Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1338031
Description of problem: Not able to edit the employeenumber,email,departnumber attributes as a user which is added to the role having the "User Administrators" privilege. Getting the error like below : ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'employeeNumber' attribute of entry 'uid=ipauser,cn=users,cn=accounts,dc=redhat,dc=com'. Steps to Reproduce : 1. Create an user in IPA with the kerberos principal of admin. # kinit admin # ipa user-add abhinayreddy --password 2. Create a new role in IPA. # ipa role-add usermodifier 3. Add "User Administrators" privilege to the new role created. # ipa role-add-privilege --privileges="User Administrators" usermodifier 4. Add new user created as a member of the role. # ipa role-add-member --users=abhinayreddy usermodifier 5. Get the kerberos principal for the user "abhinayreddy". # kinit abhinayreddy 6. Try to modify the employeenumber or email or departnumber of the user "ipauser" # ipa user-mod --employeenumber=123 ipauser # ipa user-mod --departnumbernumber=12345 ipauser # ipa user-mod --email=rd@redhat.com ipauser Actual results: Getting below error - ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'employeeNumber' attribute of entry 'uid=ipauser,cn=users,cn=accounts,dc=redhat,dc=com'. ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'departmentNumber' attribute of entry 'uid=ipauser,cn=users,cn=accounts,dc=redhat,dc=com'. ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'mail' attribute of entry 'uid=ipauser,cn=users,cn=accounts,dc=redhat,dc=com'. Expected results: User "abhinayreddy" should be able to modify the employeenumber,email and departnumber attributes of the user "ipauser". # ipa user-mod --employeenumber=123 ipauser ---------------------------- Modified user "ipauser" ---------------------------- User login: ipauser First name: ipa Last name: user Home directory: /home/ipauser Login shell: /bin/sh Email address: ipauser@gsslab.pnq.redhat.com UID: 659600018 GID: 659600018 Account disabled: False Employee Number: 123 Password: True Member of groups: ipausers Roles: usermodifier Kerberos keys available: True # ipa user-mod --departnumber=122 ipauser ---------------------------- Modified user "ipauser" ---------------------------- User login: ipauser First name: ipa Last name: user Home directory: /home/ipauser Login shell: /bin/sh Email address: ipauser@gsslab.pnq.redhat.com UID: 659600018 GID: 659600018 Account disabled: False Department Number: 122 Password: True Member of groups: ipausers Roles: usermodifier Kerberos keys available: True # ipa user-mod --email=ipauser@redhat.com ipauser ---------------------------- Modified user "ipauser" ---------------------------- User login: ipauser First name: ipa Last name: user Home directory: /home/ipauser Login shell: /bin/sh Email address: ipauser@gsslab.pnq.redhat.com UID: 659600018 GID: 659600018 Account disabled: False Password: True Member of groups: ipausers Roles: usermodifier Kerberos keys available: True Additional info: May be this is helpful : I can see that there are no write permission defined for these attributes in permissions of Modify Users. # System: Modify Users, permissions, pbac, gsslab.pnq.redhat.com dn: cn=System: Modify Users,cn=permissions,cn=pbac,dc=gsslab,dc=pnq,dc=redhat, dc=com ipaPermTargetFilter: (objectclass=posixaccount) ipaPermRight: write ipaPermBindRuleType: permission ipaPermissionType: V2 ipaPermissionType: MANAGED ipaPermissionType: SYSTEM cn: System: Modify Users objectClass: ipapermission objectClass: top objectClass: groupofnames objectClass: ipapermissionv2 member: cn=User Administrators,cn=privileges,cn=pbac,dc=gsslab,dc=pnq,dc=redha t,dc=com member: cn=Modify Users and Reset passwords,cn=privileges,cn=pbac,dc=gsslab,dc =pnq,dc=redhat,dc=com ipaPermDefaultAttr: telephonenumber ipaPermDefaultAttr: cn ipaPermDefaultAttr: labeleduri ipaPermDefaultAttr: manager ipaPermDefaultAttr: street ipaPermDefaultAttr: displayname ipaPermDefaultAttr: homephone ipaPermDefaultAttr: title ipaPermDefaultAttr: facsimiletelephonenumber ipaPermDefaultAttr: loginshell ipaPermDefaultAttr: employeetype ipaPermDefaultAttr: description ipaPermDefaultAttr: businesscategory ipaPermDefaultAttr: preferredlanguage ipaPermDefaultAttr: roomnumber ipaPermDefaultAttr: mepmanagedentry ipaPermDefaultAttr: carlicense ipaPermDefaultAttr: postalcode ipaPermDefaultAttr: givenname ipaPermDefaultAttr: pager ipaPermDefaultAttr: seealso ipaPermDefaultAttr: objectclass ipaPermDefaultAttr: inetuserhttpurl ipaPermDefaultAttr: l ipaPermDefaultAttr: st ipaPermDefaultAttr: mobile ipaPermDefaultAttr: gecos ipaPermDefaultAttr: sn ipaPermDefaultAttr: ou ipaPermDefaultAttr: secretary ipaPermDefaultAttr: userclass ipaPermDefaultAttr: initials ipaPermLocation: cn=users,cn=accounts,dc=redhat,dc=com
Missing attributes should be added to related permissions
master:
Metadata Update from @mbasti: - Issue assigned to stlaz - Issue set to the milestone: FreeIPA 4.4
Login to comment on this ticket.