[Freeipa-devel] [PATCH] 728 default roles
Jakub Hrozek
jhrozek at redhat.com
Fri Feb 18 15:05:30 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 02/17/2011 04:35 AM, Rob Crittenden wrote:
> Add default roles and permissions for HBAC, SUDO and pw policy
>
> Created some default roles as examples. In doing so I realized that we
> were completely missing default rules for HBAC, SUDO and password policy
> so I added those as well.
>
> I ran into a problem when the updater has a default record and an add at
> the same time, it should handle it better now.
>
> ticket 585
>
> rob
>
I'm not sure about the HBAC rules ACIs. They are specified as:
'target = "ldap:///cn=*,cn=hbac,$SUFFIX"'
while HBAC rules' DN is:
'ipauniqueid=*,cn=hbac,$SUFFIX'.
But HBAC rules do have a cn: attribute, so maybe the ACIs would work?
The patch also needs rebasing on top of recent changes to
install/updates/Makefile.am
Other than that, looks OK to me.
btw when I was reviewing this patch, I noticed we add a "DNS
Administrators" privilege in dns.ldif. Would it make sense to add DNS
administration to "Security Architect" (replication management) and "IT
Specialist" (hosts management)?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk1eirkACgkQHsardTLnvCUSeACgzxH00FEw+065sYEji+hlOkZQ
nBQAniLmDvUV24cnqw3bArlBckAl5gsL
=O/zW
-----END PGP SIGNATURE-----
More information about the Freeipa-devel
mailing list