rpms / ipa

Clone
Source Code
GIT

Blame SOURCES/0001-updates-fix-memberManager-ACI-to-allow-managers-from-a-specified-group_rhbz#2056009.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8-beta-stream-DL1 c8-beta-stream-client c8-stream-DL1 c8-stream-client c8s-stream-DL1 c8s-stream-client c9 c9-beta
  1.   5347ee56e3b97c01d25080bf7602dfa9f605b69f
  2.   SOURCES
  3.   0001-updates-fix-memberManager-ACI-to-allow-managers-from-a-specified-group_rhbz#2056009.patch
Blob History Raw
5347ee 
From 651e28c1fb6b86ad1fbd4ea98644e00b7042499c Mon Sep 17 00:00:00 2001
5347ee 
From: Alexander Bokovoy <abokovoy@redhat.com>
5347ee 
Date: Dec 02 2022 12:21:22 +0000
5347ee 
Subject: updates: fix memberManager ACI to allow managers from a specified group
5347ee
5347ee
5347ee 
The original implementation of the member manager added support for both
5347ee 
user and group managers but left out upgrade scenario. This means when
5347ee 
upgrading existing installation a manager whose rights defined by the
5347ee 
group membership would not be able to add group members until the ACI is
5347ee 
fixed.
5347ee
5347ee 
Remove old ACI and add a full one during upgrade step.
5347ee
5347ee 
Fixes: https://pagure.io/freeipa/issue/9286
5347ee 
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
5347ee 
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
5347ee
5347ee 
---
5347ee
5347ee 
diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update
5347ee 
index a168bb9..4a7ba13 100644
5347ee 
--- a/install/updates/20-aci.update
5347ee 
+++ b/install/updates/20-aci.update
5347ee 
@@ -141,11 +141,13 @@ add:aci:(targetattr = "usercertificate")(version 3.0;acl "selfservice:Users can
5347ee
5347ee 
 # Allow member managers to modify members of user groups
5347ee 
 dn: cn=groups,cn=accounts,$SUFFIX
5347ee 
-add:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaUserGroup)")(version 3.0; acl "Allow member managers to modify members of user groups"; allow (write) userattr = "memberManager#USERDN";)
5347ee 
+remove:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaUserGroup)")(version 3.0; acl "Allow member managers to modify members of user groups"; allow (write) userattr = "memberManager#USERDN";)
5347ee 
+add:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaUserGroup)")(version 3.0; acl "Allow member managers to modify members of user groups"; allow (write) userattr = "memberManager#USERDN" or userattr = "memberManager#GROUPDN";)
5347ee
5347ee 
 # Allow member managers to modify members of host groups
5347ee 
 dn: cn=hostgroups,cn=accounts,$SUFFIX
5347ee 
-add:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaHostGroup)")(version 3.0; acl "Allow member managers to modify members of host groups"; allow (write) userattr = "memberManager#USERDN";)
5347ee 
+remove:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaHostGroup)")(version 3.0; acl "Allow member managers to modify members of host groups"; allow (write) userattr = "memberManager#USERDN";)
5347ee 
+add:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaHostGroup)")(version 3.0; acl "Allow member managers to modify members of host groups"; allow (write) userattr = "memberManager#USERDN" or userattr = "memberManager#GROUPDN";)
5347ee
5347ee 
 # Hosts can add and delete their own services
5347ee 
 dn: cn=services,cn=accounts,$SUFFIX
5347ee

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation