3 files changed, 26 insertions, 9 deletions

diff --git a/install/share/default-aci.ldif b/install/share/default-aci.ldif
index e03c65c4d..2805e2f6f 100644
--- a/install/share/default-aci.ldif
+++ b/install/share/default-aci.ldif
@@ -4,7 +4,7 @@ dn: $SUFFIX
 changetype: modify
 add: aci
 aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)
-aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || ipaUniqueId || memberOf || serverHostName")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
+aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || memberOf || serverHostName || enrolledBy")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
 aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword")(version 3.0; acl "Self can write own password"; allow (write) userdn="ldap:///self";)
 aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
 aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Password change service can read/write passwords"; allow (read, write) userdn="ldap:///krbprincipalname=kadmin/changepw@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";)
diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py
index d742a791e..61fedd98a 100644
--- a/ipalib/plugins/baseldap.py
+++ b/ipalib/plugins/baseldap.py
@@ -234,6 +234,10 @@ class LDAPObject(Object):
             if parent_obj.primary_key:
                 yield parent_obj.primary_key.clone(query=True)
 
+    def has_objectclass(self, classes, objectclass):
+        oc = map(lambda x:x.lower(),classes)
+        return objectclass.lower() in oc
+
     def convert_attribute_members(self, entry_attrs, *keys, **options):
         if options.get('raw', False):
             return
diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py
index 1994c010f..5ecc72ae8 100644
--- a/ipalib/plugins/group.py
+++ b/ipalib/plugins/group.py
@@ -291,23 +291,28 @@ class group_detach(LDAPRemoveMember):
         group_dn = self.obj.get_dn(*keys, **options)
         user_dn = self.api.Object['user'].get_dn(*keys)
 
+        (user_dn, user_attrs) = ldap.get_entry(user_dn)
+        is_managed = self.obj.has_objectclass(user_attrs['objectclass'], 'mepmanagedentry')
         if (not ldap.can_write(user_dn, "objectclass") or
-            not ldap.can_write(user_dn, "mepManagedEntry")):
+            not (ldap.can_write(user_dn, "mepManagedEntry")) and is_managed):
             raise errors.ACIError(info=_('not allowed to modify user entries'))
 
+        (group_dn, group_attrs) = ldap.get_entry(group_dn)
+        is_managed = self.obj.has_objectclass(group_attrs['objectclass'], 'mepmanagedby')
         if (not ldap.can_write(group_dn, "objectclass") or
-            not ldap.can_write(group_dn, "mepManagedBy")):
+            not (ldap.can_write(group_dn, "mepManagedBy")) and is_managed):
             raise errors.ACIError(info=_('not allowed to modify group entries'))
 
-        (user_dn, user_attrs) = ldap.get_entry(user_dn)
         objectclasses = user_attrs['objectclass']
         try:
             i = objectclasses.index('mepOriginEntry')
+            del objectclasses[i]
+            update_attrs = {'objectclass': objectclasses, 'mepManagedEntry': None}
+            ldap.update_entry(user_dn, update_attrs)
         except ValueError:
-            raise NotFound(reason=_('Not a managed group'))
-        del objectclasses[i]
-        update_attrs = {'objectclass': objectclasses, 'mepManagedEntry': None}
-        ldap.update_entry(user_dn, update_attrs)
+            # Somehow the user isn't managed, let it pass for now. We'll
+            # let the group throw "Not managed".
+            pass
 
         (group_dn, group_attrs) = ldap.get_entry(group_dn)
         objectclasses = group_attrs['objectclass']
@@ -315,8 +320,16 @@ class group_detach(LDAPRemoveMember):
             i = objectclasses.index('mepManagedEntry')
         except ValueError:
             # this should never happen
-            raise NotFound(reason=_('Not a managed group'))
+            raise errors.NotFound(reason=_('Not a managed group'))
         del objectclasses[i]
+
+        # Make sure the resulting group has the default group objectclasses
+        config = ldap.get_ipa_config()[1]
+        def_objectclass = config.get(
+            self.obj.object_class_config, objectclasses
+        )
+        objectclasses = list(set(def_objectclass + objectclasses))
+
         update_attrs = {'objectclass': objectclasses, 'mepManagedBy': None}
         ldap.update_entry(group_dn, update_attrs)