<html>
<head>
<meta content="text/html; charset=ISO-8859-2"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 06/10/2015 02:14 PM, David Kupka
wrote:<br>
</div>
<blockquote cite="mid:55782A17.4070203@redhat.com" type="cite"><a class="moz-txt-link-freetext" href="https://fedorahosted.org/freeipa/ticket/5057">https://fedorahosted.org/freeipa/ticket/5057</a>
<br>
</blockquote>
<font face="Times New Roman, Times, serif">Hello David,<br>
<br>
The patch looks ok except it removes a permission to update 'uid'
from an active user. This permission is required to
delete(preserve) an active user.<br>
</font>
<blockquote><tt>- # Active container</tt><tt><br>
</tt><tt>- #</tt><tt><br>
</tt><tt>- # Stage user administrators need write right on
RDN when</tt><tt><br>
</tt><tt>- # the active user is deleted (preserved)</tt><tt><br>
</tt><tt>- 'System: Write Active Users RDN by
administrators': {</tt><tt><br>
</tt><tt>- 'ipapermlocation':
DN(baseuser.active_container_dn, api.env.basedn),</tt><tt><br>
</tt><tt>- 'ipapermbindruletype': 'permission',</tt><tt><br>
</tt><tt>- 'ipapermtarget': DN('uid=*',
baseuser.active_container_dn, api.env.basedn),</tt><tt><br>
</tt><tt>- 'ipapermtargetfilter':
{'(objectclass=posixaccount)'},</tt><tt><br>
</tt><tt>- 'ipapermright': {'write'},</tt><tt><br>
</tt><tt>- 'ipapermdefaultattr': {'uid'},</tt><tt><br>
</tt><tt>- 'default_privileges': {'Stage User
Administrators'},</tt><tt><br>
</tt><tt>- },</tt><tt><br>
</tt><tt>- #</tt><br>
</blockquote>
<font face="Times New Roman, Times, serif">I prepared a new patch
(attached) with that permission and it makes 'user-del --preserve'
happy.<br>
Now I think the name would rather be something like: 'System:
Preserve an active user (user-del --preserve)'<br>
<br>
I also added back this comment in two permissions 'Note:
targetfilter is the target parent container'. <br>
This was to say that the targetfilter setting was intentional.<br>
If you think it is not the right place, you may remove those
comments.<br>
<br>
Thanks<br>
thierry<br>
</font>
</body>
</html>