[Freeipa-devel] [PATCH 0032] Update ACIs to permit users to add/delete their own tokens
Rich Megginson
rmeggins at redhat.com
Thu Jan 9 21:56:00 UTC 2014
On 01/09/2014 02:32 PM, Nathaniel McCallum wrote:
> This patch is independent from my patches 0028-0031 and can be merged in
> any order.
>
> This patch has a bug, but I can't figure it out. We need to set
> nsslapd-access-userattr-strict on cn=config to "off". However, during
> the rpm installation, I get this error:
>
> DEBUG Unhandled LDAPError: UNWILLING_TO_PERFORM: {'info': 'Deleting
> attributes is not allowed', 'desc': 'Server is unwilling to perform'}
> ERROR Update failed: Server is unwilling to perform: Deleting attributes
> is not allowed
>
> I'm not sure what is causing this. Does anyone have any suggestions?
I believe the IPA update mechanism works by doing a modify/del of the
attribute followed by a modify/add. By default, cn=config restricts the
attributes which can be deleted. You can add
nsslapd-access-userattr-strict to this list. Unfortunately, it is
rather painful to do so.
Method one: Don't use the ipa update mechanism to update this
attribute. Instead, just use an ldap modify directly e.g. using ldapmodify:
ldapmodify ....
dn: cn=config
changetype: modify
replace: nsslapd-access-userattr-strict
nsslapd-access-userattr-strict: off
or in python-ldap:
conn = ldap.connection(my ldap url)
conn.simple_bind_s("cn=directory manager", "password")
mod = [(ldap.MOD_REPLACE, "nsslapd-access-userattr-strict", ['off'])]
conn.modify_s("cn=config", mod)
Method two: allow deletion of nsslapd-access-userattr-strict in order to
use ipa update method
This will unfortunately require the use of something other than the ipa
update method, again.
1) do a search to get the current value in cn=config
nsslapd-allowed-to-delete-attrs - it is a single space delimited list
2) add nsslapd-access-userattr-strict to the list
3) mod/replace the value
>
> Nathaniel
>
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140109/694b9e03/attachment.htm>
More information about the Freeipa-devel
mailing list