[Freeipa-devel] Strange ldap aci bug when adding groups

Simo Sorce ssorce at redhat.com
Tue Sep 11 03:26:32 UTC 2007 

On Mon, 2007-09-10 at 21:38 -0400, Rob Crittenden wrote:
> Rob Crittenden wrote:
> > Kevin McCarthy wrote:
> >> I ran into an issue where the web gui can't add groups.  Pete and I have
> >> poked around for an hour and it seems to be a bug in the directory
> >> server.  I'm able to add a group via command line when I bind as
> >> uid=test, but when I bind as webservice and enable proxying via command
> >> line, I get permission denied.  Strangely, bind as webservice and proxy
> >> _works_ for adding users on the command line.
> >>
> >> I'm going to try and simplify the setup and get a bug report to the FDS
> >> team tomorrow.  Just wanted to check if anyone else has hit this issue
> >> yet.
> >>
> >> -Kevin
> >>
> > 
> > This is the same thing I reported last week. Set debug to 128 and you'll 
> > see an ACI deny.
> > 
> > To set the debug level do something like:
> > 
> > % ldapmodify -x -D "cn=directory manager" -w freeipa
> > dn: cn=config
> > changetype: modify
> > replace: nsslapd-errorlog-level
> > nsslapd-errorlog-level: 128
> 
> I added another ACI and that fixed it. I'm not sure it is the *right* 
> ACI :-)
> 
> aci: 
> (targetfilter="(&(objectClass=groupOfUniqueNames)(objectClass=posixGroup))")(targetattr="*")(version 
> 3.0; acl "allowproxy-webservice"; allow (proxy) 
> userdn="ldap:///uid=webservice,cn=sysaccounts,cn=etc,dc=greyoak,dc=com";)
> 
> Once proxied add,delete,read,write access is already provided via the an 
> existing ACI. The problem is that proxy isn't allowed. The access ACI is:
> 
> aci: targetfilter="(|(objectClass=person)(objectClass=krbPrincipalAux)
> (objectClass=posixAccount)(objectClass=groupOfUniqueNames)(objectClass=posixGroup))")
> (targetattr="*")(version 3.0; acl "Account Admins can manage Users and 
> Groups";
> allow (search,add,delete,read,write) 
> groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=greyoak,dc=com";)

Ok this means that the filter in the proxy ACI means that those are the
entries you are allowed to touch when proxied. This is unexpected I
thought the target was what you were allowed to proxy as.
I will do some test tomorrow and will change the ACI of proxy
accordingly.

Simo.

More information about the Freeipa-devel mailing list