[Freeipa-devel] Strange ldap aci bug when adding groups

Rob Crittenden rcritten at redhat.com
Tue Sep 11 01:38:51 UTC 2007 

Rob Crittenden wrote:
> Kevin McCarthy wrote:
>> I ran into an issue where the web gui can't add groups.  Pete and I have
>> poked around for an hour and it seems to be a bug in the directory
>> server.  I'm able to add a group via command line when I bind as
>> uid=test, but when I bind as webservice and enable proxying via command
>> line, I get permission denied.  Strangely, bind as webservice and proxy
>> _works_ for adding users on the command line.
>>
>> I'm going to try and simplify the setup and get a bug report to the FDS
>> team tomorrow.  Just wanted to check if anyone else has hit this issue
>> yet.
>>
>> -Kevin
>>
> 
> This is the same thing I reported last week. Set debug to 128 and you'll 
> see an ACI deny.
> 
> To set the debug level do something like:
> 
> % ldapmodify -x -D "cn=directory manager" -w freeipa
> dn: cn=config
> changetype: modify
> replace: nsslapd-errorlog-level
> nsslapd-errorlog-level: 128

I added another ACI and that fixed it. I'm not sure it is the *right* 
ACI :-)

aci: 
(targetfilter="(&(objectClass=groupOfUniqueNames)(objectClass=posixGroup))")(targetattr="*")(version 
3.0; acl "allowproxy-webservice"; allow (proxy) 
userdn="ldap:///uid=webservice,cn=sysaccounts,cn=etc,dc=greyoak,dc=com";)

Once proxied add,delete,read,write access is already provided via the an 
existing ACI. The problem is that proxy isn't allowed. The access ACI is:

aci: targetfilter="(|(objectClass=person)(objectClass=krbPrincipalAux)
(objectClass=posixAccount)(objectClass=groupOfUniqueNames)(objectClass=posixGroup))")
(targetattr="*")(version 3.0; acl "Account Admins can manage Users and 
Groups";
allow (search,add,delete,read,write) 
groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=greyoak,dc=com";)

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20070910/b5a904b5/attachment.bin>

More information about the Freeipa-devel mailing list