[Freeipa-users] Internal FreeIPA Administrators cannot search DNS records
Martin Basti
mbasti at redhat.com
Tue Jun 9 11:54:20 UTC 2015
On 09/06/15 13:05, Martin Basti wrote:
> On 09/06/15 12:58, Martin Basti wrote:
>> On 08/06/15 20:59, nathan at nathanpeters.com wrote:
>>> I am trying my best to figure out why any FreeIPA internal
>>> 'administrators' that I create cannot search DNS entries.
>>>
>>> The builtin admin user can search and get results for DNS entries just
>>> fine, but we would rather not share this account with every sysadmin in
>>> our staff.
>>>
>>> I have created a new role called "Super Admin". On the privileges
>>> tab for
>>> this user, I have added every single privlege in the 'Add' menu. This
>>> role now has all 29 privileges defined on the system. However, even
>>> after
>>> assigned a user to have this role, and loggging out and back in
>>> again, he
>>> cannot search DNS entries. He can see every dns entry if he manually
>>> pages through them one at a time (we have several thousand so this
>>> is not
>>> workable as you would have to scroll through hundreds of pages). The
>>> problem is any search always returns zero entries.
>>>
>>> I though maybe something was missing so I created a new privilege
>>> called
>>> "All privileges". I then tried to add each individual permission to
>>> this
>>> privilege. I could only add 76 permissions. All other permissions
>>> would
>>> give the following error when I try to add them : "invalid
>>> 'permission':
>>> cannot add permission "System: Read Automount Configuration" with
>>> bindtype
>>> "anonymous" to a privilege"
>>>
>>> I can see if I go to the permissions menu that there are actually 174
>>> possible permissions so to only be able to add 76 of them seems really
>>> strange.
>>>
>>> So my questions are :
>>> 1)Why can a user with 'all' privileges not search DNS entries?
>>> 2)Why am I only able to add 76 out of the 174 permissions to a
>>> privilege?
>>> 3)Is there anything that can be done to allow a user that is not the
>>> builtin 'admin' user to search dns entries or actually be alloted all
>>> permissions on the system?
>>>
>>>
>> Hello,
>>
>> which version of IPA do you use?
>>
>> I was able to find all zones with new user on IPA 4.1.
>> I just add the 'DNS administrators' privilege for the new user.
>>
>> Martin
>>
>
> I reproduce this issue, IMO it is not related to permissions, but the
> search command itself, I will investigate.
>
Indeed you were right, there is wrong filter, which is denied by ACI.
Thank you for this bug report.
--
Martin Basti
More information about the Freeipa-users
mailing list