ipa/0001-updates-fix-memberManager-ACI-to-allow-managers-from.patch

From 42be04fe4ff317efe599dcbc2637f94ecc6fa220 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Mon, 21 Nov 2022 16:12:46 +0200
Subject: [PATCH] updates: fix memberManager ACI to allow managers from a
 specified group

The original implementation of the member manager added support for both
user and group managers but left out upgrade scenario. This means when
upgrading existing installation a manager whose rights defined by the
group membership would not be able to add group members until the ACI is
fixed.

Remove old ACI and add a full one during upgrade step.

Fixes: https://pagure.io/freeipa/issue/9286
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
 install/updates/20-aci.update | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update
index a168bb9573a9fbb9ff15f0b19bb8ec75b48d82a9..4a7ba137c4711aa3f8b064fdd482ffee76c59949 100644
--- a/install/updates/20-aci.update
+++ b/install/updates/20-aci.update
@@ -141,11 +141,13 @@ add:aci:(targetattr = "usercertificate")(version 3.0;acl "selfservice:Users can
 
 # Allow member managers to modify members of user groups
 dn: cn=groups,cn=accounts,$SUFFIX
-add:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaUserGroup)")(version 3.0; acl "Allow member managers to modify members of user groups"; allow (write) userattr = "memberManager#USERDN";)
+remove:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaUserGroup)")(version 3.0; acl "Allow member managers to modify members of user groups"; allow (write) userattr = "memberManager#USERDN";)
+add:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaUserGroup)")(version 3.0; acl "Allow member managers to modify members of user groups"; allow (write) userattr = "memberManager#USERDN" or userattr = "memberManager#GROUPDN";)
 
 # Allow member managers to modify members of host groups
 dn: cn=hostgroups,cn=accounts,$SUFFIX
-add:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaHostGroup)")(version 3.0; acl "Allow member managers to modify members of host groups"; allow (write) userattr = "memberManager#USERDN";)
+remove:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaHostGroup)")(version 3.0; acl "Allow member managers to modify members of host groups"; allow (write) userattr = "memberManager#USERDN";)
+add:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaHostGroup)")(version 3.0; acl "Allow member managers to modify members of host groups"; allow (write) userattr = "memberManager#USERDN" or userattr = "memberManager#GROUPDN";)
 
 # Hosts can add and delete their own services
 dn: cn=services,cn=accounts,$SUFFIX
-- 
2.38.1
ipa-4.10.1-2 - Resolves: rhbz#2148887 MemberManager with groups fails - Resolves: rhbz#2150335 idm:client is missing dependency on krb5-pkinit Signed-off-by: Florence Blanc-Renaud <flo@redhat.com> 2022-12-09 13:31:00 +00:00			`From 42be04fe4ff317efe599dcbc2637f94ecc6fa220 Mon Sep 17 00:00:00 2001`
			`From: Alexander Bokovoy <abokovoy@redhat.com>`
			`Date: Mon, 21 Nov 2022 16:12:46 +0200`
			`Subject: [PATCH] updates: fix memberManager ACI to allow managers from a`
			`specified group`

			`The original implementation of the member manager added support for both`
			`user and group managers but left out upgrade scenario. This means when`
			`upgrading existing installation a manager whose rights defined by the`
			`group membership would not be able to add group members until the ACI is`
			`fixed.`

			`Remove old ACI and add a full one during upgrade step.`

			`Fixes: https://pagure.io/freeipa/issue/9286`
			`Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>`
			`Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>`
			`---`
			`install/updates/20-aci.update \| 6 ++++--`
			`1 file changed, 4 insertions(+), 2 deletions(-)`

			`diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update`
			`index a168bb9573a9fbb9ff15f0b19bb8ec75b48d82a9..4a7ba137c4711aa3f8b064fdd482ffee76c59949 100644`
			`--- a/install/updates/20-aci.update`
			`+++ b/install/updates/20-aci.update`
			`@@ -141,11 +141,13 @@ add:aci:(targetattr = "usercertificate")(version 3.0;acl "selfservice:Users can`

			`# Allow member managers to modify members of user groups`
			`dn: cn=groups,cn=accounts,$SUFFIX`
			`-add:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaUserGroup)")(version 3.0; acl "Allow member managers to modify members of user groups"; allow (write) userattr = "memberManager#USERDN";)`
			`+remove:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaUserGroup)")(version 3.0; acl "Allow member managers to modify members of user groups"; allow (write) userattr = "memberManager#USERDN";)`
			`+add:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaUserGroup)")(version 3.0; acl "Allow member managers to modify members of user groups"; allow (write) userattr = "memberManager#USERDN" or userattr = "memberManager#GROUPDN";)`

			`# Allow member managers to modify members of host groups`
			`dn: cn=hostgroups,cn=accounts,$SUFFIX`
			`-add:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaHostGroup)")(version 3.0; acl "Allow member managers to modify members of host groups"; allow (write) userattr = "memberManager#USERDN";)`
			`+remove:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaHostGroup)")(version 3.0; acl "Allow member managers to modify members of host groups"; allow (write) userattr = "memberManager#USERDN";)`
			`+add:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaHostGroup)")(version 3.0; acl "Allow member managers to modify members of host groups"; allow (write) userattr = "memberManager#USERDN" or userattr = "memberManager#GROUPDN";)`

			`# Hosts can add and delete their own services`
			`dn: cn=services,cn=accounts,$SUFFIX`
			`--`
			`2.38.1`