[389-users] Groupe modifications and internalModifiersName

Tue Nov 11 10:22:39 UTC 2014

Thank you Ludwig, i think the attribute behavior should be as you describe it, so i've made a ticket - https://fedorahosted.org/389/ticket/47950 

----- Mail original -----

> De: "Ludwig Krispenz" <lkrispen at redhat.com>
> À: 389-users at lists.fedoraproject.org
> Envoyé: Mardi 11 Novembre 2014 11:06:10
> Objet: Re: [389-users] Groupe modifications and internalModifiersName

> On 11/11/2014 10:45 AM, Ivanov Andrey (M.) wrote:

> > Hi,,
> 

> > i continue with my tests of 389ds v1.3.2.24. I've encountered another bug
> > or
> > strange behavior (by design?).
> 
> > I've activated bind dn tracking ( nsslapd-plugin-binddn-tracking: on ).
> > There
> > is an account that has the write to add the entries and to change some
> > attributes (e.g. description). The corresponding ACI:
> 

> > dn: ou=Cours,ou=Enseignement,ou=Groupes,dc=id,dc=polytechnique,dc=edu
> 
> > aci: (targetattr = " objectClass || uniqueMember || owner || cn ||
> > description || businessCategory " ) (version 3.0;acl "Droits de
> > rejouter/supprimer/modifier les groupes et leurs att
> 
> > ributs";allow ( add, delete, read,compare,search,write )(userdn=
> > "ldap:///uid=sync-cours,ou=Comptes
> > generiques,ou=Utilisateurs,dc=id,dc=polytechnique,dc=edu" );)
> 

> > Any attempt to modify an authorized attribute from the list above (for ex.,
> > description ) results in
> 
> > ldap_modify: Insufficient access (50)
> 
> > additional info: Insufficient 'write' privilege to the
> > 'internalModifiersName' attribute of entry
> > 'cn=mec431-2014,ou=2014,ou=cours,ou=enseignement,ou=groupes,dc=id,dc=polytechnique,dc=edu'.
> 

> > [11/Nov/2014:10:38:49 +0100] conn=4 fd=256 slot=256 connection from
> > 129.104.31.54 to 129.104.69.49
> 
> > [11/Nov/2014:10:38:49 +0100] conn=4 op=0 BIND dn="" method=sasl version=3
> > mech=GSSAPI
> 
> > [11/Nov/2014:10:38:49 +0100] conn=4 op=0 RESULT err=14 tag=97 nentries=0
> > etime=0.008000, SASL bind in progress
> 
> > [11/Nov/2014:10:38:49 +0100] conn=4 op=1 BIND dn="" method=sasl version=3
> > mech=GSSAPI
> 
> > [11/Nov/2014:10:38:49 +0100] conn=4 op=1 RESULT err=14 tag=97 nentries=0
> > etime=0.002000, SASL bind in progress
> 
> > [11/Nov/2014:10:38:49 +0100] conn=4 op=2 BIND dn="" method=sasl version=3
> > mech=GSSAPI
> 
> > [11/Nov/2014:10:38:49 +0100] conn=4 op=2 RESULT err=0 tag=97 nentries=0
> > etime=0.001000 dn="uid=sync-cours,ou=comptes
> > generiques,ou=utilisateurs,dc=id,dc=polytechnique,dc=edu"
> 
> > [11/Nov/2014:10:38:49 +0100] conn=4 op=3 SRCH
> > base="dc=id,dc=polytechnique,dc=edu" scope=2 filter="(cn=MEC431-2014)"
> > attrs=ALL
> 
> > [11/Nov/2014:10:38:49 +0100] conn=4 op=3 RESULT err=0 tag=101 nentries=1
> > etime=0.003000
> 
> > [11/Nov/2014:10:39:00 +0100] conn=4 op=4 MOD
> > dn="cn=MEC431-2014,ou=2014,ou=Cours,ou=Enseignement,ou=Groupes,dc=id,dc=polytechnique,dc=edu"
> 
> > [11/Nov/2014:10:39:00 +0100] conn=4 op=4 RESULT err=50 tag=103 nentries=0
> > etime=0.002000
> 

> > is it an expected behavior and i need to add to all the ACIs that allow
> > modifications the right to modify internalModifiersName attribute
> 

> good question, not sure if thus was intentional, butI think
> internalModifiersName should be written like modifiersname without specific
> permission .

> so for now I suggest you add the aci and open a ticket to get it investigated

> > (if i add it, everything is fine and the attribute internalModifiersName
> > becomes " cn=ldbm database,cn=plugins,cn=config ").
> 
> > Or is it a bug?
> 

> > Thank you!
> 

> > Regards,
> 

> > --
> 
> > 389 users mailing list 389-users at lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/389-users
> 

> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20141111/997e7c50/attachment.html>