[Freeipa-devel] [PATCH] 728 default roles
Rob Crittenden
rcritten at redhat.com
Mon Feb 21 15:11:38 UTC 2011
Rob Crittenden wrote:
> Jakub Hrozek wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> On 02/17/2011 04:35 AM, Rob Crittenden wrote:
>>> Add default roles and permissions for HBAC, SUDO and pw policy
>>>
>>> Created some default roles as examples. In doing so I realized that we
>>> were completely missing default rules for HBAC, SUDO and password policy
>>> so I added those as well.
>>>
>>> I ran into a problem when the updater has a default record and an add at
>>> the same time, it should handle it better now.
>>>
>>> ticket 585
>>>
>>> rob
>>>
>>
>> I'm not sure about the HBAC rules ACIs. They are specified as:
>>
>> 'target = "ldap:///cn=*,cn=hbac,$SUFFIX"'
>>
>> while HBAC rules' DN is:
>>
>> 'ipauniqueid=*,cn=hbac,$SUFFIX'.
>>
>> But HBAC rules do have a cn: attribute, so maybe the ACIs would work?
>
> No, you're right, this is wrong. I'll fix it up and resubmit.
>
>>
>> The patch also needs rebasing on top of recent changes to
>> install/updates/Makefile.am
>>
>> Other than that, looks OK to me.
>>
>> btw when I was reviewing this patch, I noticed we add a "DNS
>> Administrators" privilege in dns.ldif. Would it make sense to add DNS
>> administration to "Security Architect" (replication management) and "IT
>> Specialist" (hosts management)?
>
> The DNS stuff is added only if DNS is enabled on the server so I can't
> add them by default.
>
> rob
Updated patch.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-rcrit-728-2-roles.patch
Type: application/mbox
Size: 20778 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20110221/3c362988/attachment.mbox>
More information about the Freeipa-devel
mailing list