On 9.6.2015 13:54, Martin Basti wrote: > On 09/06/15 13:05, Martin Basti wrote: >> On 09/06/15 12:58, Martin Basti wrote: >>> On 08/06/15 20:59, [email protected] wrote: >>>> I am trying my best to figure out why any FreeIPA internal >>>> 'administrators' that I create cannot search DNS entries. >>>> >>>> The builtin admin user can search and get results for DNS entries just >>>> fine, but we would rather not share this account with every sysadmin in >>>> our staff. >>>> >>>> I have created a new role called "Super Admin". On the privileges tab for >>>> this user, I have added every single privlege in the 'Add' menu. This >>>> role now has all 29 privileges defined on the system. However, even after >>>> assigned a user to have this role, and loggging out and back in again, he >>>> cannot search DNS entries. He can see every dns entry if he manually >>>> pages through them one at a time (we have several thousand so this is not >>>> workable as you would have to scroll through hundreds of pages). The >>>> problem is any search always returns zero entries. >>>> >>>> I though maybe something was missing so I created a new privilege called >>>> "All privileges". I then tried to add each individual permission to this >>>> privilege. I could only add 76 permissions. All other permissions would >>>> give the following error when I try to add them : "invalid 'permission': >>>> cannot add permission "System: Read Automount Configuration" with bindtype >>>> "anonymous" to a privilege" >>>> >>>> I can see if I go to the permissions menu that there are actually 174 >>>> possible permissions so to only be able to add 76 of them seems really >>>> strange. >>>> >>>> So my questions are : >>>> 1)Why can a user with 'all' privileges not search DNS entries? >>>> 2)Why am I only able to add 76 out of the 174 permissions to a privilege? >>>> 3)Is there anything that can be done to allow a user that is not the >>>> builtin 'admin' user to search dns entries or actually be alloted all >>>> permissions on the system? >>>> >>>> >>> Hello, >>> >>> which version of IPA do you use? >>> >>> I was able to find all zones with new user on IPA 4.1. >>> I just add the 'DNS administrators' privilege for the new user. >>> >>> Martin >>> >> >> I reproduce this issue, IMO it is not related to permissions, but the search >> command itself, I will investigate. >> > Indeed you were right, there is wrong filter, which is denied by ACI. > > Thank you for this bug report.
Ticket: https://fedorahosted.org/freeipa/ticket/5055 -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
