[Freeipa-devel] Need ACI to allow self-modification
Simo Sorce
ssorce at redhat.com
Mon Oct 29 18:49:57 UTC 2007
On Mon, 2007-10-29 at 14:08 -0400, Rob Crittenden wrote:
> I'm surprised we haven't seen this yet. I suppose I've done most unit
> testing as 'admin' myself.
>
> I created a user 'test' and tried to update a couple of attributes. I
> get an error when I do:
>
> Insufficient access: Insufficient 'write' privilege to the 'mail'
> attribute of entry 'uid=test,cn=users,cn=accounts,dc=greyoak,dc=com'.
>
> I think this is the relevent ACI that is failing:
>
> [29/Oct/2007:14:03:04 -0400] NSACLPlugin - Evaluated ACL_FALSE
> [29/Oct/2007:14:03:04 -0400] NSACLPlugin - conn=97 op=3 (main): Deny
> write on
> entry(uid=test,cn=users,cn=accounts,dc=greyoak,dc=com).attr(mail): no
> aci matched the subject by aci(7): aciname= "Account Admins can
> manage
> Users and Groups", acidn="dc=greyoak,dc=com"
>
> I'm guessing that it is more a lack of a "user can modify themselves" ACI.
But should we allow users to modify their own entries?
And if so, which attributes exactly we should let a user modify himself?
"mail" is not something I would allow, but I guess that's depend on the
use case?
Simo.
More information about the Freeipa-devel
mailing list