Remove ACI that was causing RDN changes to fail

Fix for session code so RDN change can succeed

433523

ipa-server/ipa-gui/ipagui/subcontrollers/user.py

@@ -421,7 +421,7 @@ class UserController(IPAController):
             raise turbogears.redirect('/user/show', uid=kw.get('uid'))
 
         edituid = cherrypy.session.get('uid')
-        if not edituid or edituid != kw.get('uid'):
+        if edituid and edituid != kw.get('uid') and edituid != kw.get('uid_hidden'):
             turbogears.flash("Something went wrong. You last viewed %s but are trying to update %s" % (kw.get('uid'), edituid))
             raise turbogears.redirect('/user/show', uid=kw.get('uid'))
 
@@ -615,9 +615,6 @@ class UserController(IPAController):
                         user_groups=user_groups_dicts,
                         tg_template='ipagui.templates.useredit')
 
-        # We no longer need this
-        cherrypy.session['uid'] = None
-
         turbogears.flash("%s updated!" % kw['uid'])
         raise turbogears.redirect('/user/show', uid=kw['uid'])
 

ipa-server/ipa-install/share/default-aci.ldif

@@ -3,7 +3,6 @@
 dn: $SUFFIX
 changetype: modify
 add: aci
-aci: (targetattr = "krbMKey")(version 3.0; acl "Only the kerberos account can access this one"; deny (read, search, compare, write) userdn != "ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";)
 aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)
 aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Admin can manage any entry"; allow (all) userdn = "ldap:///uid=admin,cn=sysaccounts,cn=etc,$SUFFIX";)
 aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword")(version 3.0; acl "Self can write own password"; allow (write) userdn="ldap:///self";)