<html><body><div style="font-family: times new roman, new york, times, serif; font-size: 12pt; color: #000000"><div>Thank you Ludwig, i think the attribute behavior should be as you describe it, so i've made a ticket - https://fedorahosted.org/389/ticket/47950<br></div><div><br></div><hr id="zwchr"><blockquote style="border-left:2px solid #1010FF;margin-left:5px;padding-left:5px;color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt;"><b>De: </b>"Ludwig Krispenz" <lkrispen@redhat.com><br><b>À: </b>389-users@lists.fedoraproject.org<br><b>Envoyé: </b>Mardi 11 Novembre 2014 11:06:10<br><b>Objet: </b>Re: [389-users] Groupe modifications and internalModifiersName<br><div><br></div>
<br>
<div class="moz-cite-prefix">On 11/11/2014 10:45 AM, Ivanov Andrey
(M.) wrote:<br>
</div>
<blockquote cite="mid:1740768656.2109999.1415699108334.JavaMail.zimbra@zimbra.polytechnique.fr">
<div style="font-family: times new roman, new york, times, serif;
font-size: 12pt; color: #000000">
<div>Hi,,<br>
</div>
<div><br>
</div>
<div>i continue with my tests of 389ds v1.3.2.24. I've
encountered another bug or strange behavior (by design?).<br>
</div>
<div>I've activated bind dn tracking (<strong>nsslapd-plugin-binddn-tracking:
on</strong>). There is an account that has the write to add
the entries and to change some attributes (e.g. description).
The corresponding ACI:<br>
</div>
<div><br>
</div>
<div>dn:
ou=Cours,ou=Enseignement,ou=Groupes,dc=id,dc=polytechnique,dc=edu<br>
aci: (targetattr = "<strong>objectClass || uniqueMember ||
owner || cn || description || businessCategory</strong>" )
(version 3.0;acl "Droits de rejouter/supprimer/modifier les
groupes et leurs att<br>
ributs";allow (<strong>add, delete, read,compare,search,write</strong>)(userdn=<a class="moz-txt-link-rfc2396E" href="ldap:///uid=sync-cours,ou=Comptesgeneriques,ou=Utilisateurs,dc=id,dc=polytechnique,dc=edu" target="_blank">"ldap:///uid=sync-cours,ou=Comptes
generiques,ou=Utilisateurs,dc=id,dc=polytechnique,dc=edu"</a>);)</div>
<div><br>
</div>
<div><br>
</div>
<div>Any attempt to modify an authorized attribute from the list
above (for ex., <strong>description</strong>) results in <br>
</div>
<div>ldap_modify: Insufficient access (50)<br>
additional info: Insufficient 'write' privilege to the
'internalModifiersName' attribute of entry
'cn=mec431-2014,ou=2014,ou=cours,ou=enseignement,ou=groupes,dc=id,dc=polytechnique,dc=edu'.</div>
<div><br>
</div>
<div><br>
</div>
<div>[11/Nov/2014:10:38:49 +0100] conn=4 fd=256 slot=256
connection from 129.104.31.54 to 129.104.69.49<br>
[11/Nov/2014:10:38:49 +0100] conn=4 op=0 BIND dn=""
method=sasl version=3 mech=GSSAPI<br>
[11/Nov/2014:10:38:49 +0100] conn=4 op=0 RESULT err=14 tag=97
nentries=0 etime=0.008000, SASL bind in progress<br>
[11/Nov/2014:10:38:49 +0100] conn=4 op=1 BIND dn=""
method=sasl version=3 mech=GSSAPI<br>
[11/Nov/2014:10:38:49 +0100] conn=4 op=1 RESULT err=14 tag=97
nentries=0 etime=0.002000, SASL bind in progress<br>
<strong>[11/Nov/2014:10:38:49 +0100] conn=4 op=2 BIND dn=""
method=sasl version=3 mech=GSSAPI</strong><br>
<strong>[11/Nov/2014:10:38:49 +0100] conn=4 op=2 RESULT err=0
tag=97 nentries=0 etime=0.001000
dn="uid=sync-cours,ou=comptes
generiques,ou=utilisateurs,dc=id,dc=polytechnique,dc=edu"</strong><br>
[11/Nov/2014:10:38:49 +0100] conn=4 op=3 SRCH
base="dc=id,dc=polytechnique,dc=edu" scope=2
filter="(cn=MEC431-2014)" attrs=ALL<br>
[11/Nov/2014:10:38:49 +0100] conn=4 op=3 RESULT err=0 tag=101
nentries=1 etime=0.003000<br>
[11/Nov/2014:10:39:00 +0100] conn=4 op=4 MOD
dn="cn=MEC431-2014,ou=2014,ou=Cours,ou=Enseignement,ou=Groupes,dc=id,dc=polytechnique,dc=edu"<br>
<strong>[11/Nov/2014:10:39:00 +0100] conn=4 op=4 RESULT err=50
tag=103 nentries=0 etime=0.002000</strong></div>
<div><strong><br>
</strong></div>
<div><br>
</div>
<div>is it an expected behavior and i need to add to all the
ACIs that allow modifications the right to
modify internalModifiersName attribute </div>
</div>
</blockquote>
good question, not sure if thus was intentional, butI think
internalModifiersName should be written like modifiersname without
specific permission<strong>.<br>
<br>
</strong>so for now I suggest you add the aci and open a ticket to
get it investigated<strong><br>
</strong>
<blockquote cite="mid:1740768656.2109999.1415699108334.JavaMail.zimbra@zimbra.polytechnique.fr">
<div style="font-family: times new roman, new york, times, serif;
font-size: 12pt; color: #000000">
<div>(if i add it, everything is fine and the attribute <strong>internalModifiersName</strong>
becomes "<strong>cn=ldbm database,cn=plugins,cn=config</strong>").</div>
<div>Or is it a bug?<br>
</div>
<div><br>
</div>
<div>Thank you!<br>
</div>
<div><br>
</div>
<div>Regards,<br>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre>--
389 users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:389-users@lists.fedoraproject.org" target="_blank">389-users@lists.fedoraproject.org</a>
<a class="moz-txt-link-freetext" href="https://admin.fedoraproject.org/mailman/listinfo/389-users" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/389-users</a><br data-mce-bogus="1"></pre>
</blockquote>
<br>
<br>--<br>389 users mailing list<br>389-users@lists.fedoraproject.org<br>https://admin.fedoraproject.org/mailman/listinfo/389-users</blockquote><div><br></div></div></body></html>