[Freeipa-devel] Need ACI to allow self-modification
Simo Sorce
ssorce at redhat.com
Mon Oct 29 19:25:17 UTC 2007
On Mon, 2007-10-29 at 14:58 -0400, Rob Crittenden wrote:
> Simo Sorce wrote:
> > On Mon, 2007-10-29 at 14:08 -0400, Rob Crittenden wrote:
> >> I'm surprised we haven't seen this yet. I suppose I've done most unit
> >> testing as 'admin' myself.
> >>
> >> I created a user 'test' and tried to update a couple of attributes. I
> >> get an error when I do:
> >>
> >> Insufficient access: Insufficient 'write' privilege to the 'mail'
> >> attribute of entry 'uid=test,cn=users,cn=accounts,dc=greyoak,dc=com'.
> >>
> >> I think this is the relevent ACI that is failing:
> >>
> >> [29/Oct/2007:14:03:04 -0400] NSACLPlugin - Evaluated ACL_FALSE
> >> [29/Oct/2007:14:03:04 -0400] NSACLPlugin - conn=97 op=3 (main): Deny
> >> write on
> >> entry(uid=test,cn=users,cn=accounts,dc=greyoak,dc=com).attr(mail): no
> >> aci matched the subject by aci(7): aciname= "Account Admins can
> >> manage
> >> Users and Groups", acidn="dc=greyoak,dc=com"
> >>
> >> I'm guessing that it is more a lack of a "user can modify themselves" ACI.
> >
> > But should we allow users to modify their own entries?
> > And if so, which attributes exactly we should let a user modify himself?
> >
> > "mail" is not something I would allow, but I guess that's depend on the
> > use case?
> >
>
> This is the "self service" part.
>
> If we limit the updatable attributes we'll need to have that configured
> somewhere unless are ok leaving it hardcoded for V1.
I guess it is ok to hardcode for v1, if someone need to change that they
can change the ACI manually I guess.
For example in an addressbook system letting a user change his email it
may be ok, but if IPA is used by the mail server to deliver mail, then
it is not ok anymore.
Simo.
More information about the Freeipa-devel
mailing list