[Freeipa-devel] Strange ldap aci bug when adding groups
Simo Sorce
ssorce at redhat.com
Tue Sep 11 03:26:32 UTC 2007
On Mon, 2007-09-10 at 21:38 -0400, Rob Crittenden wrote:
> Rob Crittenden wrote:
> > Kevin McCarthy wrote:
> >> I ran into an issue where the web gui can't add groups. Pete and I have
> >> poked around for an hour and it seems to be a bug in the directory
> >> server. I'm able to add a group via command line when I bind as
> >> uid=test, but when I bind as webservice and enable proxying via command
> >> line, I get permission denied. Strangely, bind as webservice and proxy
> >> _works_ for adding users on the command line.
> >>
> >> I'm going to try and simplify the setup and get a bug report to the FDS
> >> team tomorrow. Just wanted to check if anyone else has hit this issue
> >> yet.
> >>
> >> -Kevin
> >>
> >
> > This is the same thing I reported last week. Set debug to 128 and you'll
> > see an ACI deny.
> >
> > To set the debug level do something like:
> >
> > % ldapmodify -x -D "cn=directory manager" -w freeipa
> > dn: cn=config
> > changetype: modify
> > replace: nsslapd-errorlog-level
> > nsslapd-errorlog-level: 128
>
> I added another ACI and that fixed it. I'm not sure it is the *right*
> ACI :-)
>
> aci:
> (targetfilter="(&(objectClass=groupOfUniqueNames)(objectClass=posixGroup))")(targetattr="*")(version
> 3.0; acl "allowproxy-webservice"; allow (proxy)
> userdn="ldap:///uid=webservice,cn=sysaccounts,cn=etc,dc=greyoak,dc=com";)
>
> Once proxied add,delete,read,write access is already provided via the an
> existing ACI. The problem is that proxy isn't allowed. The access ACI is:
>
> aci: targetfilter="(|(objectClass=person)(objectClass=krbPrincipalAux)
> (objectClass=posixAccount)(objectClass=groupOfUniqueNames)(objectClass=posixGroup))")
> (targetattr="*")(version 3.0; acl "Account Admins can manage Users and
> Groups";
> allow (search,add,delete,read,write)
> groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=greyoak,dc=com";)
Ok this means that the filter in the proxy ACI means that those are the
entries you are allowed to touch when proxied. This is unexpected I
thought the target was what you were allowed to proxy as.
I will do some test tomorrow and will change the ACI of proxy
accordingly.
Simo.
More information about the Freeipa-devel
mailing list