Re: [389-users] Groupe modifications and internalModifiersName
On 11/11/2014 10:45 AM, Ivanov Andrey (M.) wrote:
Hi,,
i continue with my tests of 389ds v1.3.2.24. I've encountered another
bug or strange behavior (by design?).
I've activated bind dn tracking (*nsslapd-plugin-binddn-tracking:
on*). There is an account that has the write to add the entries and to
change some attributes (e.g. description). The corresponding ACI:
dn: ou=Cours,ou=Enseignement,ou=Groupes,dc=id,dc=polytechnique,dc=edu
aci: (targetattr = "*objectClass || uniqueMember || owner || cn ||
description || businessCategory*" ) (version 3.0;acl "Droits de
rejouter/supprimer/modifier les groupes et leurs att
ributs";allow (*add, delete,
read,compare,search,write*)(userdn="ldap:///uid=sync-cours,ou=Comptes
generiques,ou=Utilisateurs,dc=id,dc=polytechnique,dc=edu");)
Any attempt to modify an authorized attribute from the list above (for
ex., *description*) results in
ldap_modify: Insufficient access (50)
additional info: Insufficient 'write' privilege to the
'internalModifiersName' attribute of entry
'cn=mec431-2014,ou=2014,ou=cours,ou=enseignement,ou=groupes,dc=id,dc=polytechnique,dc=edu'.
[11/Nov/2014:10:38:49 +0100] conn=4 fd=256 slot=256 connection from
129.104.31.54 to 129.104.69.49
[11/Nov/2014:10:38:49 +0100] conn=4 op=0 BIND dn="" method=sasl
version=3 mech=GSSAPI
[11/Nov/2014:10:38:49 +0100] conn=4 op=0 RESULT err=14 tag=97
nentries=0 etime=0.008000, SASL bind in progress
[11/Nov/2014:10:38:49 +0100] conn=4 op=1 BIND dn="" method=sasl
version=3 mech=GSSAPI
[11/Nov/2014:10:38:49 +0100] conn=4 op=1 RESULT err=14 tag=97
nentries=0 etime=0.002000, SASL bind in progress
*[11/Nov/2014:10:38:49 +0100] conn=4 op=2 BIND dn="" method=sasl
version=3 mech=GSSAPI*
*[11/Nov/2014:10:38:49 +0100] conn=4 op=2 RESULT err=0 tag=97
nentries=0 etime=0.001000 dn="uid=sync-cours,ou=comptes
generiques,ou=utilisateurs,dc=id,dc=polytechnique,dc=edu"*
[11/Nov/2014:10:38:49 +0100] conn=4 op=3 SRCH
base="dc=id,dc=polytechnique,dc=edu" scope=2
filter="(cn=MEC431-2014)"
attrs=ALL
[11/Nov/2014:10:38:49 +0100] conn=4 op=3 RESULT err=0 tag=101
nentries=1 etime=0.003000
[11/Nov/2014:10:39:00 +0100] conn=4 op=4 MOD
dn="cn=MEC431-2014,ou=2014,ou=Cours,ou=Enseignement,ou=Groupes,dc=id,dc=polytechnique,dc=edu"
*[11/Nov/2014:10:39:00 +0100] conn=4 op=4 RESULT err=50 tag=103
nentries=0 etime=0.002000*
*
*
is it an expected behavior and i need to add to all the ACIs that
allow modifications the right to modify internalModifiersName attribute
good
question, not sure if thus was intentional, butI think
internalModifiersName should be written like modifiersname without
specific permission*.
*so for now I suggest you add the aci and open a ticket to get it
investigated*
*
(if i add it, everything is fine and the attribute
*internalModifiersName* becomes "*cn=ldbm
database,cn=plugins,cn=config*").
Or is it a bug?
Thank you!
Regards,
--
389 users mailing list
389-users(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
Attachments:
- attachment.html (text/html — 5.4 KB)