[Freeipa-users] Internal FreeIPA Administrators cannot search DNS records

Martin Basti mbasti at redhat.com
Tue Jun 9 11:54:20 UTC 2015 

On 09/06/15 13:05, Martin Basti wrote:
> On 09/06/15 12:58, Martin Basti wrote:
>> On 08/06/15 20:59, nathan at nathanpeters.com wrote:
>>> I am trying my best to figure out why any FreeIPA internal
>>> 'administrators' that I create cannot search DNS entries.
>>>
>>> The builtin admin user can search and get results for DNS entries just
>>> fine, but we would rather not share this account with every sysadmin in
>>> our staff.
>>>
>>> I have created a new role called "Super Admin".  On the privileges 
>>> tab for
>>> this user, I have added every single privlege in the 'Add' menu.  This
>>> role now has all 29 privileges defined on the system. However, even 
>>> after
>>> assigned a user to have this role, and loggging out and back in 
>>> again, he
>>> cannot search DNS entries.  He can see every dns entry if he manually
>>> pages through them one at a time (we have several thousand so this 
>>> is not
>>> workable as you would have to scroll through hundreds of pages).  The
>>> problem is any search always returns zero entries.
>>>
>>> I though maybe something was missing so I created a new privilege 
>>> called
>>> "All privileges".  I then tried to add each individual permission to 
>>> this
>>> privilege.  I could only add 76 permissions.  All other permissions 
>>> would
>>> give the following error when I try to add them : "invalid 
>>> 'permission':
>>> cannot add permission "System: Read Automount Configuration" with 
>>> bindtype
>>> "anonymous" to a privilege"
>>>
>>> I can see if I go to the permissions menu that there are actually 174
>>> possible permissions so to only be able to add 76 of them seems really
>>> strange.
>>>
>>> So my questions are :
>>> 1)Why can a user with 'all' privileges not search DNS entries?
>>> 2)Why am I only able to add 76 out of the 174 permissions to a 
>>> privilege?
>>> 3)Is there anything that can be done to allow a user that is not the
>>> builtin 'admin' user to search dns entries or actually be alloted all
>>> permissions on the system?
>>>
>>>
>> Hello,
>>
>> which version of IPA do you use?
>>
>> I was able to find all zones with new user on IPA 4.1.
>> I just add the 'DNS administrators' privilege for the new user.
>>
>> Martin
>>
>
> I reproduce this issue, IMO it is not related to permissions, but the 
> search command itself, I will investigate.
>
Indeed you were right,  there is wrong filter, which is denied by ACI.

Thank you for this bug report.

-- 
Martin Basti

More information about the Freeipa-users mailing list