|
 |
bbecb6 |
From 42be04fe4ff317efe599dcbc2637f94ecc6fa220 Mon Sep 17 00:00:00 2001
|
|
|
bbecb6 |
From: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
bbecb6 |
Date: Mon, 21 Nov 2022 16:12:46 +0200
|
|
|
bbecb6 |
Subject: [PATCH] updates: fix memberManager ACI to allow managers from a
|
|
|
bbecb6 |
specified group
|
|
|
bbecb6 |
|
|
|
bbecb6 |
The original implementation of the member manager added support for both
|
|
|
bbecb6 |
user and group managers but left out upgrade scenario. This means when
|
|
|
bbecb6 |
upgrading existing installation a manager whose rights defined by the
|
|
|
bbecb6 |
group membership would not be able to add group members until the ACI is
|
|
|
bbecb6 |
fixed.
|
|
|
bbecb6 |
|
|
|
bbecb6 |
Remove old ACI and add a full one during upgrade step.
|
|
|
bbecb6 |
|
|
|
bbecb6 |
Fixes: https://pagure.io/freeipa/issue/9286
|
|
|
bbecb6 |
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
bbecb6 |
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
|
|
bbecb6 |
---
|
|
|
bbecb6 |
install/updates/20-aci.update | 6 ++++--
|
|
|
bbecb6 |
1 file changed, 4 insertions(+), 2 deletions(-)
|
|
|
bbecb6 |
|
|
|
bbecb6 |
diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update
|
|
|
bbecb6 |
index a168bb9573a9fbb9ff15f0b19bb8ec75b48d82a9..4a7ba137c4711aa3f8b064fdd482ffee76c59949 100644
|
|
|
bbecb6 |
--- a/install/updates/20-aci.update
|
|
|
bbecb6 |
+++ b/install/updates/20-aci.update
|
|
|
bbecb6 |
@@ -141,11 +141,13 @@ add:aci:(targetattr = "usercertificate")(version 3.0;acl "selfservice:Users can
|
|
|
bbecb6 |
|
|
|
bbecb6 |
# Allow member managers to modify members of user groups
|
|
|
bbecb6 |
dn: cn=groups,cn=accounts,$SUFFIX
|
|
|
bbecb6 |
-add:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaUserGroup)")(version 3.0; acl "Allow member managers to modify members of user groups"; allow (write) userattr = "memberManager#USERDN";)
|
|
|
bbecb6 |
+remove:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaUserGroup)")(version 3.0; acl "Allow member managers to modify members of user groups"; allow (write) userattr = "memberManager#USERDN";)
|
|
|
bbecb6 |
+add:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaUserGroup)")(version 3.0; acl "Allow member managers to modify members of user groups"; allow (write) userattr = "memberManager#USERDN" or userattr = "memberManager#GROUPDN";)
|
|
|
bbecb6 |
|
|
|
bbecb6 |
# Allow member managers to modify members of host groups
|
|
|
bbecb6 |
dn: cn=hostgroups,cn=accounts,$SUFFIX
|
|
|
bbecb6 |
-add:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaHostGroup)")(version 3.0; acl "Allow member managers to modify members of host groups"; allow (write) userattr = "memberManager#USERDN";)
|
|
|
bbecb6 |
+remove:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaHostGroup)")(version 3.0; acl "Allow member managers to modify members of host groups"; allow (write) userattr = "memberManager#USERDN";)
|
|
|
bbecb6 |
+add:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaHostGroup)")(version 3.0; acl "Allow member managers to modify members of host groups"; allow (write) userattr = "memberManager#USERDN" or userattr = "memberManager#GROUPDN";)
|
|
|
bbecb6 |
|
|
|
bbecb6 |
# Hosts can add and delete their own services
|
|
|
bbecb6 |
dn: cn=services,cn=accounts,$SUFFIX
|
|
|
bbecb6 |
--
|
|
|
bbecb6 |
2.38.1
|
|
|
bbecb6 |
|