[Freeipa-users] Internal FreeIPA Administrators cannot search DNS records
Petr Spacek
pspacek at redhat.com
Tue Jun 9 13:37:23 UTC 2015
On 9.6.2015 13:54, Martin Basti wrote:
> On 09/06/15 13:05, Martin Basti wrote:
>> On 09/06/15 12:58, Martin Basti wrote:
>>> On 08/06/15 20:59, nathan at nathanpeters.com wrote:
>>>> I am trying my best to figure out why any FreeIPA internal
>>>> 'administrators' that I create cannot search DNS entries.
>>>>
>>>> The builtin admin user can search and get results for DNS entries just
>>>> fine, but we would rather not share this account with every sysadmin in
>>>> our staff.
>>>>
>>>> I have created a new role called "Super Admin". On the privileges tab for
>>>> this user, I have added every single privlege in the 'Add' menu. This
>>>> role now has all 29 privileges defined on the system. However, even after
>>>> assigned a user to have this role, and loggging out and back in again, he
>>>> cannot search DNS entries. He can see every dns entry if he manually
>>>> pages through them one at a time (we have several thousand so this is not
>>>> workable as you would have to scroll through hundreds of pages). The
>>>> problem is any search always returns zero entries.
>>>>
>>>> I though maybe something was missing so I created a new privilege called
>>>> "All privileges". I then tried to add each individual permission to this
>>>> privilege. I could only add 76 permissions. All other permissions would
>>>> give the following error when I try to add them : "invalid 'permission':
>>>> cannot add permission "System: Read Automount Configuration" with bindtype
>>>> "anonymous" to a privilege"
>>>>
>>>> I can see if I go to the permissions menu that there are actually 174
>>>> possible permissions so to only be able to add 76 of them seems really
>>>> strange.
>>>>
>>>> So my questions are :
>>>> 1)Why can a user with 'all' privileges not search DNS entries?
>>>> 2)Why am I only able to add 76 out of the 174 permissions to a privilege?
>>>> 3)Is there anything that can be done to allow a user that is not the
>>>> builtin 'admin' user to search dns entries or actually be alloted all
>>>> permissions on the system?
>>>>
>>>>
>>> Hello,
>>>
>>> which version of IPA do you use?
>>>
>>> I was able to find all zones with new user on IPA 4.1.
>>> I just add the 'DNS administrators' privilege for the new user.
>>>
>>> Martin
>>>
>>
>> I reproduce this issue, IMO it is not related to permissions, but the search
>> command itself, I will investigate.
>>
> Indeed you were right, there is wrong filter, which is denied by ACI.
>
> Thank you for this bug report.
Ticket: https://fedorahosted.org/freeipa/ticket/5055
--
Petr^2 Spacek
More information about the Freeipa-users
mailing list