On 09/06/15 13:05, Martin Basti wrote:
On 09/06/15 12:58, Martin Basti wrote:
On 08/06/15 20:59, [email protected] wrote:
I am trying my best to figure out why any FreeIPA internal
'administrators' that I create cannot search DNS entries.
The builtin admin user can search and get results for DNS entries just
fine, but we would rather not share this account with every sysadmin in
our staff.
I have created a new role called "Super Admin". On the privileges
tab for
this user, I have added every single privlege in the 'Add' menu. This
role now has all 29 privileges defined on the system. However, even
after
assigned a user to have this role, and loggging out and back in
again, he
cannot search DNS entries. He can see every dns entry if he manually
pages through them one at a time (we have several thousand so this
is not
workable as you would have to scroll through hundreds of pages). The
problem is any search always returns zero entries.
I though maybe something was missing so I created a new privilege
called
"All privileges". I then tried to add each individual permission to
this
privilege. I could only add 76 permissions. All other permissions
would
give the following error when I try to add them : "invalid
'permission':
cannot add permission "System: Read Automount Configuration" with
bindtype
"anonymous" to a privilege"
I can see if I go to the permissions menu that there are actually 174
possible permissions so to only be able to add 76 of them seems really
strange.
So my questions are :
1)Why can a user with 'all' privileges not search DNS entries?
2)Why am I only able to add 76 out of the 174 permissions to a
privilege?
3)Is there anything that can be done to allow a user that is not the
builtin 'admin' user to search dns entries or actually be alloted all
permissions on the system?
Hello,
which version of IPA do you use?
I was able to find all zones with new user on IPA 4.1.
I just add the 'DNS administrators' privilege for the new user.
Martin
I reproduce this issue, IMO it is not related to permissions, but the
search command itself, I will investigate.
Indeed you were right, there is wrong filter, which is denied by ACI.
Thank you for this bug report.
--
Martin Basti
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
