[Freeipa-devel] Need ACI to allow self-modification
Rob Crittenden
rcritten at redhat.com
Mon Oct 29 18:58:06 UTC 2007
Simo Sorce wrote:
> On Mon, 2007-10-29 at 14:08 -0400, Rob Crittenden wrote:
>> I'm surprised we haven't seen this yet. I suppose I've done most unit
>> testing as 'admin' myself.
>>
>> I created a user 'test' and tried to update a couple of attributes. I
>> get an error when I do:
>>
>> Insufficient access: Insufficient 'write' privilege to the 'mail'
>> attribute of entry 'uid=test,cn=users,cn=accounts,dc=greyoak,dc=com'.
>>
>> I think this is the relevent ACI that is failing:
>>
>> [29/Oct/2007:14:03:04 -0400] NSACLPlugin - Evaluated ACL_FALSE
>> [29/Oct/2007:14:03:04 -0400] NSACLPlugin - conn=97 op=3 (main): Deny
>> write on
>> entry(uid=test,cn=users,cn=accounts,dc=greyoak,dc=com).attr(mail): no
>> aci matched the subject by aci(7): aciname= "Account Admins can
>> manage
>> Users and Groups", acidn="dc=greyoak,dc=com"
>>
>> I'm guessing that it is more a lack of a "user can modify themselves" ACI.
>
> But should we allow users to modify their own entries?
> And if so, which attributes exactly we should let a user modify himself?
>
> "mail" is not something I would allow, but I guess that's depend on the
> use case?
>
This is the "self service" part.
If we limit the updatable attributes we'll need to have that configured
somewhere unless are ok leaving it hardcoded for V1.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071029/808313dd/attachment.bin>
More information about the Freeipa-devel
mailing list