rpms / ipa

Clone
Source Code
GIT

Blame SOURCES/0001-updates-fix-memberManager-ACI-to-allow-managers-from-a-specified-group_rhbz#2056009.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8-beta-stream-DL1 c8-beta-stream-client c8-stream-DL1 c8-stream-client c8s-stream-DL1 c8s-stream-client c9 c9-beta
  1.   711f45a7812a414600f4d2db6d55639d1479d6db
  2.   SOURCES
  3.   0001-updates-fix-memberManager-ACI-to-allow-managers-from-a-specified-group_rhbz#2056009.patch
Blob History Raw
711f45 
From 651e28c1fb6b86ad1fbd4ea98644e00b7042499c Mon Sep 17 00:00:00 2001
711f45 
From: Alexander Bokovoy <abokovoy@redhat.com>
711f45 
Date: Dec 02 2022 12:21:22 +0000
711f45 
Subject: updates: fix memberManager ACI to allow managers from a specified group
711f45
711f45
711f45 
The original implementation of the member manager added support for both
711f45 
user and group managers but left out upgrade scenario. This means when
711f45 
upgrading existing installation a manager whose rights defined by the
711f45 
group membership would not be able to add group members until the ACI is
711f45 
fixed.
711f45
711f45 
Remove old ACI and add a full one during upgrade step.
711f45
711f45 
Fixes: https://pagure.io/freeipa/issue/9286
711f45 
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
711f45 
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
711f45
711f45 
---
711f45
711f45 
diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update
711f45 
index a168bb9..4a7ba13 100644
711f45 
--- a/install/updates/20-aci.update
711f45 
+++ b/install/updates/20-aci.update
711f45 
@@ -141,11 +141,13 @@ add:aci:(targetattr = "usercertificate")(version 3.0;acl "selfservice:Users can
711f45
711f45 
 # Allow member managers to modify members of user groups
711f45 
 dn: cn=groups,cn=accounts,$SUFFIX
711f45 
-add:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaUserGroup)")(version 3.0; acl "Allow member managers to modify members of user groups"; allow (write) userattr = "memberManager#USERDN";)
711f45 
+remove:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaUserGroup)")(version 3.0; acl "Allow member managers to modify members of user groups"; allow (write) userattr = "memberManager#USERDN";)
711f45 
+add:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaUserGroup)")(version 3.0; acl "Allow member managers to modify members of user groups"; allow (write) userattr = "memberManager#USERDN" or userattr = "memberManager#GROUPDN";)
711f45
711f45 
 # Allow member managers to modify members of host groups
711f45 
 dn: cn=hostgroups,cn=accounts,$SUFFIX
711f45 
-add:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaHostGroup)")(version 3.0; acl "Allow member managers to modify members of host groups"; allow (write) userattr = "memberManager#USERDN";)
711f45 
+remove:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaHostGroup)")(version 3.0; acl "Allow member managers to modify members of host groups"; allow (write) userattr = "memberManager#USERDN";)
711f45 
+add:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaHostGroup)")(version 3.0; acl "Allow member managers to modify members of host groups"; allow (write) userattr = "memberManager#USERDN" or userattr = "memberManager#GROUPDN";)
711f45
711f45 
 # Hosts can add and delete their own services
711f45 
 dn: cn=services,cn=accounts,$SUFFIX
711f45

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation