2 files changed, 31 insertions, 0 deletions

diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py
index 56e2fe697..604502ee7 100644
--- a/ipalib/plugins/user.py
+++ b/ipalib/plugins/user.py
@@ -195,6 +195,21 @@ def check_protected_member(user, protected_group_name=u'admins'):
         raise errors.LastMemberError(key=user, label=_(u'group'),
             container=protected_group_name)
 
+
+def fix_addressbook_permission_bindrule(name, template, is_new,
+                                        anonymous_read_aci,
+                                        **other_options):
+    """Fix bind rule type for Read User Addressbook/IPA Attributes permission
+
+    When upgrading from an old IPA that had the global read ACI,
+    or when installing the first replica with granular read permissions,
+    we need to keep allowing anonymous access to many user attributes.
+    This fixup_function changes the bind rule type accordingly.
+    """
+    if is_new and anonymous_read_aci:
+        template['ipapermbindruletype'] = 'anonymous'
+
+
 class user(LDAPObject):
     """
     User object.
@@ -263,6 +278,7 @@ class user(LDAPObject):
                 'usersmimecertificate', 'x500uniqueidentifier',
                 'inetuserhttpurl', 'inetuserstatus',
             },
+            'fixup_function': fix_addressbook_permission_bindrule,
         },
         'System: Read User IPA Attributes': {
             'replaces_global_anonymous_aci': True,
@@ -271,6 +287,7 @@ class user(LDAPObject):
             'ipapermdefaultattr': {
                 'ipauniqueid', 'ipasshpubkey', 'ipauserauthtype', 'userclass',
             },
+            'fixup_function': fix_addressbook_permission_bindrule,
         },
         'System: Read User Kerberos Attributes': {
             'replaces_global_anonymous_aci': True,
diff --git a/ipaserver/install/plugins/update_managed_permissions.py b/ipaserver/install/plugins/update_managed_permissions.py
index 175a5bf47..72c1b131f 100644
--- a/ipaserver/install/plugins/update_managed_permissions.py
+++ b/ipaserver/install/plugins/update_managed_permissions.py
@@ -64,6 +64,14 @@ The template dictionary can have the following keys:
 * non_object
   - If true, no object-specific defaults are used (e.g. for
     ipapermtargetfilter, ipapermlocation).
+* fixup_function
+  - A callable that may modify the template in-place before it is applied.
+  - Called with the permission name, template dict, and keyword arguments:
+    - is_new: true if the permission was previously existing
+    - anonymous_read_aci: the legacy 'Enable Anonymous access' ACI as
+      an ipalib.aci.ACI object, or None if it does not exist
+    Extra keyword arguments must be ignored, since this list may grow
+    in the future.
 
 No other keys are allowed in the template
 """
@@ -313,6 +321,12 @@ class update_managed_permissions(PostUpdate):
 
         template = dict(template)
 
+        fixup_function = template.pop('fixup_function', None)
+        if fixup_function:
+            fixup_function(name, template,
+                           is_new=is_new,
+                           anonymous_read_aci=anonymous_read_aci)
+
         if template.pop('non_object', False):
             obj = None