[Freeipa-users] Modify the mail forgot in the aci "Modify Users"
Rob Crittenden
rcritten at redhat.com
Thu Jun 10 14:58:48 UTC 2010
ALAHYANE Rachid wrote:
> Hi,
>
> I am working with ACIs and I noticed that you forgot to add mail in the
> set of attribute that it can be modified :
>
>
> ============================================
> ipa aci-find "Modify Users"
> ---------
> aci-find:
> ---------
> (targetattr = "givenName || sn || cn || displayName || title || initials
> || loginShell || gecos || homePhone || mobile || pager ||
> facsimileTelephoneNumber || telephoneNumber || street || roomNumber || l
> || st || postalCode || manager || secretary || description || carLicense
> || labeledURI || inetUserHTTPURL || seeAlso || employeeType ||
> businessCategory || ou")(target =
> "ldap:///uid=*,cn=users,cn=accounts,dc=gamma,dc=domain,dc=org")(version
> 3.0;acl "Modify Users";allow (write) groupdn =
> "ldap:///cn=modifyusers,cn=taskgroups,cn=accounts,dc=gamma,dc=domain,dc=org";)
> ============================================
>
> when i try to fixe this problem I do not know why my ACI is deleted !
>
> ============================================
> ipa -v aci-mod "Modify Users" --attrs=mail --memberof=ipausers
> ipa: INFO: skipping plugin module ipalib.plugins.cert: env.enable_ra is
> not True
> ipa: INFO: Created connection context.xmlclient
> ipa: INFO: aci_mod(u'Modify Users', attrs=(u'mail',), memberof=u'ipausers')
> ipa: INFO: Forwarding 'aci_mod' to server
> u'https://server.gamma.domain.org/ipa/xml'
> ipa: INFO: Destroyed connection context.xmlclient
> ipa: ERROR: overlapping arguments and options: ['aciname']
> ============================================
> ipa -v aci-mod --attrs=mail "Modify Users"
> ipa: INFO: skipping plugin module ipalib.plugins.cert: env.enable_ra is
> not True
> ipa: INFO: Created connection context.xmlclient
> ipa: INFO: aci_mod(u'Modify Users', attrs=(u'mail',))
> ipa: INFO: Forwarding 'aci_mod' to server
> u'https://server.gamma.domain.org/ipa/xml'
> ipa: INFO: Destroyed connection context.xmlclient
> ipa: ERROR: ACI with name "Modify Users" not found
> ============================================
> ipa -v aci-show "Modify Users"
> ipa: INFO: skipping plugin module ipalib.plugins.cert: env.enable_ra is
> not True
> ipa: INFO: Created connection context.xmlclient
> ipa: INFO: aci_show(u'Modify Users')
> ipa: INFO: Forwarding 'aci_show' to server
> u'https://server.gamma.domain.org/ipa/xml'
> ipa: INFO: Destroyed connection context.xmlclient
> ipa: ERROR: ACI with name "Modify Users" not found
> ============================================
>
>
> I am using the v1.9.0 version and I do not know if it is fixed now.
I don't think it's anything you're doing wrong. Looks like a bug in the
aci plugin, I'll take a look.
As an aside though I wouldn't set the ipausers as a memberof on this
ACI. What that will do is allow any user to modify any other user. I
doubt this is what you want.
Even if you did it would be better to add the ipausers group as a member
of the "Modify Users" rolegroup.
rob
More information about the Freeipa-users
mailing list