rpms / ipa

Clone
Source Code
GIT

Blame SOURCES/0001-updates-fix-memberManager-ACI-to-allow-managers-from-a-specified-group_rhbz#2056009.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8-beta-stream-DL1 c8-beta-stream-client c8-stream-DL1 c8-stream-client c8s-stream-DL1 c8s-stream-client c9 c9-beta
  1.   d75e1e2ac69c17dcc10c7ade830baf8eabf9c5db
  2.   SOURCES
  3.   0001-updates-fix-memberManager-ACI-to-allow-managers-from-a-specified-group_rhbz#2056009.patch
Blob History Raw
d75e1e 
From 651e28c1fb6b86ad1fbd4ea98644e00b7042499c Mon Sep 17 00:00:00 2001
d75e1e 
From: Alexander Bokovoy <abokovoy@redhat.com>
d75e1e 
Date: Dec 02 2022 12:21:22 +0000
d75e1e 
Subject: updates: fix memberManager ACI to allow managers from a specified group
d75e1e
d75e1e
d75e1e 
The original implementation of the member manager added support for both
d75e1e 
user and group managers but left out upgrade scenario. This means when
d75e1e 
upgrading existing installation a manager whose rights defined by the
d75e1e 
group membership would not be able to add group members until the ACI is
d75e1e 
fixed.
d75e1e
d75e1e 
Remove old ACI and add a full one during upgrade step.
d75e1e
d75e1e 
Fixes: https://pagure.io/freeipa/issue/9286
d75e1e 
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
d75e1e 
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
d75e1e
d75e1e 
---
d75e1e
d75e1e 
diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update
d75e1e 
index a168bb9..4a7ba13 100644
d75e1e 
--- a/install/updates/20-aci.update
d75e1e 
+++ b/install/updates/20-aci.update
d75e1e 
@@ -141,11 +141,13 @@ add:aci:(targetattr = "usercertificate")(version 3.0;acl "selfservice:Users can
d75e1e
d75e1e 
 # Allow member managers to modify members of user groups
d75e1e 
 dn: cn=groups,cn=accounts,$SUFFIX
d75e1e 
-add:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaUserGroup)")(version 3.0; acl "Allow member managers to modify members of user groups"; allow (write) userattr = "memberManager#USERDN";)
d75e1e 
+remove:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaUserGroup)")(version 3.0; acl "Allow member managers to modify members of user groups"; allow (write) userattr = "memberManager#USERDN";)
d75e1e 
+add:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaUserGroup)")(version 3.0; acl "Allow member managers to modify members of user groups"; allow (write) userattr = "memberManager#USERDN" or userattr = "memberManager#GROUPDN";)
d75e1e
d75e1e 
 # Allow member managers to modify members of host groups
d75e1e 
 dn: cn=hostgroups,cn=accounts,$SUFFIX
d75e1e 
-add:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaHostGroup)")(version 3.0; acl "Allow member managers to modify members of host groups"; allow (write) userattr = "memberManager#USERDN";)
d75e1e 
+remove:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaHostGroup)")(version 3.0; acl "Allow member managers to modify members of host groups"; allow (write) userattr = "memberManager#USERDN";)
d75e1e 
+add:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaHostGroup)")(version 3.0; acl "Allow member managers to modify members of host groups"; allow (write) userattr = "memberManager#USERDN" or userattr = "memberManager#GROUPDN";)
d75e1e
d75e1e 
 # Hosts can add and delete their own services
d75e1e 
 dn: cn=services,cn=accounts,$SUFFIX
d75e1e

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation