[Freeipa-devel] Need ACI to allow self-modification
Rob Crittenden
rcritten at redhat.com
Mon Oct 29 18:08:08 UTC 2007
I'm surprised we haven't seen this yet. I suppose I've done most unit
testing as 'admin' myself.
I created a user 'test' and tried to update a couple of attributes. I
get an error when I do:
Insufficient access: Insufficient 'write' privilege to the 'mail'
attribute of entry 'uid=test,cn=users,cn=accounts,dc=greyoak,dc=com'.
I think this is the relevent ACI that is failing:
[29/Oct/2007:14:03:04 -0400] NSACLPlugin - Evaluated ACL_FALSE
[29/Oct/2007:14:03:04 -0400] NSACLPlugin - conn=97 op=3 (main): Deny
write on
entry(uid=test,cn=users,cn=accounts,dc=greyoak,dc=com).attr(mail): no
aci matched the subject by aci(7): aciname= "Account Admins can manage
Users and Groups", acidn="dc=greyoak,dc=com"
I'm guessing that it is more a lack of a "user can modify themselves" ACI.
Pete, can you provide one? This is a bit of a blocker.
I created https://hosted.fedoraproject.org/projects/freeipa/ticket/65
for tracking.
thanks
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071029/b6127a06/attachment.bin>
More information about the Freeipa-devel
mailing list