The private groups are handled via DS plugin automatically. In some rare cases the private group can be decoupled from the parent entry and managed manually. This is a one way operation. We need CLI for it.
What are the requirements for this? I assume the GID has to be the same?
I'll have to check with the DS team on this but we're going to need to delete the group and re-create it to be unmanaged.
I thought that you can just make it unmanaged. Then it just becomes editable by other means. I do not think you need to delete the group itself. You just need to change something in the user or group entry (remove some attribute that makes it managed) but check with the DS team.
The Managed Entries plug-in was designed such that one could manually "unlink" a managed entry from it's origin entry. To do so, you remove the pointer attributes from the origin/managed entries along with the objectClasses. The pointers are the "mepManagedEntry" and "mepManagedBy" attributes. The objectClasses are "mepManagedEntry" and "mepOriginEntry".
decouple user-private groups freeipa-504-detach.patch
The basic test should be covered by the built-in tests.
If you want further tests you can verify that a non-admin user with delegated permissions can do this and that they require the right access.
To do this:
1. ipa user-add --first=Test --last=User tuser1 --password 2. ipa rolegroup-add-member --users=tuser1 useradmin 3. ipa user-add --first=Test --last=User tuser2 4. kinit tuser1 5. ipa group-detach tuser2 This should result in an error because user tuser1 can't write to groups 6. kinit admin 7. ipa rolegroup-add-member --users=tuser1 groupadmin 8. kinit tuser1 9. ipa group-detach tuser2 Should succeed.
master: 5b894d1
Metadata Update from @dpal: - Issue assigned to rcritten - Issue set to the milestone: FreeIPA 2.0 - 2010/08
Login to comment on this ticket.