[Freeipa-devel] [PATCH] 728 default roles
Rob Crittenden
rcritten at redhat.com
Fri Feb 18 15:29:42 UTC 2011
Jakub Hrozek wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 02/17/2011 04:35 AM, Rob Crittenden wrote:
>> Add default roles and permissions for HBAC, SUDO and pw policy
>>
>> Created some default roles as examples. In doing so I realized that we
>> were completely missing default rules for HBAC, SUDO and password policy
>> so I added those as well.
>>
>> I ran into a problem when the updater has a default record and an add at
>> the same time, it should handle it better now.
>>
>> ticket 585
>>
>> rob
>>
>
> I'm not sure about the HBAC rules ACIs. They are specified as:
>
> 'target = "ldap:///cn=*,cn=hbac,$SUFFIX"'
>
> while HBAC rules' DN is:
>
> 'ipauniqueid=*,cn=hbac,$SUFFIX'.
>
> But HBAC rules do have a cn: attribute, so maybe the ACIs would work?
No, you're right, this is wrong. I'll fix it up and resubmit.
>
> The patch also needs rebasing on top of recent changes to
> install/updates/Makefile.am
>
> Other than that, looks OK to me.
>
> btw when I was reviewing this patch, I noticed we add a "DNS
> Administrators" privilege in dns.ldif. Would it make sense to add DNS
> administration to "Security Architect" (replication management) and "IT
> Specialist" (hosts management)?
The DNS stuff is added only if DNS is enabled on the server so I can't
add them by default.
rob
More information about the Freeipa-devel
mailing list