[389-users] Groupe modifications and internalModifiersName
Ivanov Andrey (M.)
andrey.ivanov at polytechnique.fr
Tue Nov 11 10:22:39 UTC 2014
Thank you Ludwig, i think the attribute behavior should be as you describe it, so i've made a ticket - https://fedorahosted.org/389/ticket/47950
----- Mail original -----
> De: "Ludwig Krispenz" <lkrispen at redhat.com>
> À: 389-users at lists.fedoraproject.org
> Envoyé: Mardi 11 Novembre 2014 11:06:10
> Objet: Re: [389-users] Groupe modifications and internalModifiersName
> On 11/11/2014 10:45 AM, Ivanov Andrey (M.) wrote:
> > Hi,,
>
> > i continue with my tests of 389ds v1.3.2.24. I've encountered another bug
> > or
> > strange behavior (by design?).
>
> > I've activated bind dn tracking ( nsslapd-plugin-binddn-tracking: on ).
> > There
> > is an account that has the write to add the entries and to change some
> > attributes (e.g. description). The corresponding ACI:
>
> > dn: ou=Cours,ou=Enseignement,ou=Groupes,dc=id,dc=polytechnique,dc=edu
>
> > aci: (targetattr = " objectClass || uniqueMember || owner || cn ||
> > description || businessCategory " ) (version 3.0;acl "Droits de
> > rejouter/supprimer/modifier les groupes et leurs att
>
> > ributs";allow ( add, delete, read,compare,search,write )(userdn=
> > "ldap:///uid=sync-cours,ou=Comptes
> > generiques,ou=Utilisateurs,dc=id,dc=polytechnique,dc=edu" );)
>
> > Any attempt to modify an authorized attribute from the list above (for ex.,
> > description ) results in
>
> > ldap_modify: Insufficient access (50)
>
> > additional info: Insufficient 'write' privilege to the
> > 'internalModifiersName' attribute of entry
> > 'cn=mec431-2014,ou=2014,ou=cours,ou=enseignement,ou=groupes,dc=id,dc=polytechnique,dc=edu'.
>
> > [11/Nov/2014:10:38:49 +0100] conn=4 fd=256 slot=256 connection from
> > 129.104.31.54 to 129.104.69.49
>
> > [11/Nov/2014:10:38:49 +0100] conn=4 op=0 BIND dn="" method=sasl version=3
> > mech=GSSAPI
>
> > [11/Nov/2014:10:38:49 +0100] conn=4 op=0 RESULT err=14 tag=97 nentries=0
> > etime=0.008000, SASL bind in progress
>
> > [11/Nov/2014:10:38:49 +0100] conn=4 op=1 BIND dn="" method=sasl version=3
> > mech=GSSAPI
>
> > [11/Nov/2014:10:38:49 +0100] conn=4 op=1 RESULT err=14 tag=97 nentries=0
> > etime=0.002000, SASL bind in progress
>
> > [11/Nov/2014:10:38:49 +0100] conn=4 op=2 BIND dn="" method=sasl version=3
> > mech=GSSAPI
>
> > [11/Nov/2014:10:38:49 +0100] conn=4 op=2 RESULT err=0 tag=97 nentries=0
> > etime=0.001000 dn="uid=sync-cours,ou=comptes
> > generiques,ou=utilisateurs,dc=id,dc=polytechnique,dc=edu"
>
> > [11/Nov/2014:10:38:49 +0100] conn=4 op=3 SRCH
> > base="dc=id,dc=polytechnique,dc=edu" scope=2 filter="(cn=MEC431-2014)"
> > attrs=ALL
>
> > [11/Nov/2014:10:38:49 +0100] conn=4 op=3 RESULT err=0 tag=101 nentries=1
> > etime=0.003000
>
> > [11/Nov/2014:10:39:00 +0100] conn=4 op=4 MOD
> > dn="cn=MEC431-2014,ou=2014,ou=Cours,ou=Enseignement,ou=Groupes,dc=id,dc=polytechnique,dc=edu"
>
> > [11/Nov/2014:10:39:00 +0100] conn=4 op=4 RESULT err=50 tag=103 nentries=0
> > etime=0.002000
>
> > is it an expected behavior and i need to add to all the ACIs that allow
> > modifications the right to modify internalModifiersName attribute
>
> good question, not sure if thus was intentional, butI think
> internalModifiersName should be written like modifiersname without specific
> permission .
> so for now I suggest you add the aci and open a ticket to get it investigated
> > (if i add it, everything is fine and the attribute internalModifiersName
> > becomes " cn=ldbm database,cn=plugins,cn=config ").
>
> > Or is it a bug?
>
> > Thank you!
>
> > Regards,
>
> > --
>
> > 389 users mailing list 389-users at lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/389-users
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20141111/997e7c50/attachment.html>
More information about the 389-users
mailing list