|
 |
f17082 |
From 651e28c1fb6b86ad1fbd4ea98644e00b7042499c Mon Sep 17 00:00:00 2001
|
|
|
f17082 |
From: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
f17082 |
Date: Dec 02 2022 12:21:22 +0000
|
|
|
f17082 |
Subject: updates: fix memberManager ACI to allow managers from a specified group
|
|
|
f17082 |
|
|
|
f17082 |
|
|
|
f17082 |
The original implementation of the member manager added support for both
|
|
|
f17082 |
user and group managers but left out upgrade scenario. This means when
|
|
|
f17082 |
upgrading existing installation a manager whose rights defined by the
|
|
|
f17082 |
group membership would not be able to add group members until the ACI is
|
|
|
f17082 |
fixed.
|
|
|
f17082 |
|
|
|
f17082 |
Remove old ACI and add a full one during upgrade step.
|
|
|
f17082 |
|
|
|
f17082 |
Fixes: https://pagure.io/freeipa/issue/9286
|
|
|
f17082 |
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
f17082 |
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
|
|
f17082 |
|
|
|
f17082 |
---
|
|
|
f17082 |
|
|
|
f17082 |
diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update
|
|
|
f17082 |
index a168bb9..4a7ba13 100644
|
|
|
f17082 |
--- a/install/updates/20-aci.update
|
|
|
f17082 |
+++ b/install/updates/20-aci.update
|
|
|
f17082 |
@@ -141,11 +141,13 @@ add:aci:(targetattr = "usercertificate")(version 3.0;acl "selfservice:Users can
|
|
|
f17082 |
|
|
|
f17082 |
# Allow member managers to modify members of user groups
|
|
|
f17082 |
dn: cn=groups,cn=accounts,$SUFFIX
|
|
|
f17082 |
-add:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaUserGroup)")(version 3.0; acl "Allow member managers to modify members of user groups"; allow (write) userattr = "memberManager#USERDN";)
|
|
|
f17082 |
+remove:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaUserGroup)")(version 3.0; acl "Allow member managers to modify members of user groups"; allow (write) userattr = "memberManager#USERDN";)
|
|
|
f17082 |
+add:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaUserGroup)")(version 3.0; acl "Allow member managers to modify members of user groups"; allow (write) userattr = "memberManager#USERDN" or userattr = "memberManager#GROUPDN";)
|
|
|
f17082 |
|
|
|
f17082 |
# Allow member managers to modify members of host groups
|
|
|
f17082 |
dn: cn=hostgroups,cn=accounts,$SUFFIX
|
|
|
f17082 |
-add:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaHostGroup)")(version 3.0; acl "Allow member managers to modify members of host groups"; allow (write) userattr = "memberManager#USERDN";)
|
|
|
f17082 |
+remove:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaHostGroup)")(version 3.0; acl "Allow member managers to modify members of host groups"; allow (write) userattr = "memberManager#USERDN";)
|
|
|
f17082 |
+add:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaHostGroup)")(version 3.0; acl "Allow member managers to modify members of host groups"; allow (write) userattr = "memberManager#USERDN" or userattr = "memberManager#GROUPDN";)
|
|
|
f17082 |
|
|
|
f17082 |
# Hosts can add and delete their own services
|
|
|
f17082 |
dn: cn=services,cn=accounts,$SUFFIX
|
|
|
f17082 |
|