[Freeipa-devel] [PATCH] 728 default roles
Jakub Hrozek
jhrozek at redhat.com
Mon Feb 21 15:25:44 UTC 2011
On Mon, Feb 21, 2011 at 10:11:38AM -0500, Rob Crittenden wrote:
> Rob Crittenden wrote:
> >Jakub Hrozek wrote:
> >>-----BEGIN PGP SIGNED MESSAGE-----
> >>Hash: SHA1
> >>
> >>On 02/17/2011 04:35 AM, Rob Crittenden wrote:
> >>>Add default roles and permissions for HBAC, SUDO and pw policy
> >>>
> >>>Created some default roles as examples. In doing so I realized that we
> >>>were completely missing default rules for HBAC, SUDO and password policy
> >>>so I added those as well.
> >>>
> >>>I ran into a problem when the updater has a default record and an add at
> >>>the same time, it should handle it better now.
> >>>
> >>>ticket 585
> >>>
> >>>rob
> >>>
> >>
> >>I'm not sure about the HBAC rules ACIs. They are specified as:
> >>
> >>'target = "ldap:///cn=*,cn=hbac,$SUFFIX"'
> >>
> >>while HBAC rules' DN is:
> >>
> >>'ipauniqueid=*,cn=hbac,$SUFFIX'.
> >>
> >>But HBAC rules do have a cn: attribute, so maybe the ACIs would work?
> >
> >No, you're right, this is wrong. I'll fix it up and resubmit.
> >
> >>
> >>The patch also needs rebasing on top of recent changes to
> >>install/updates/Makefile.am
> >>
> >>Other than that, looks OK to me.
> >>
> >>btw when I was reviewing this patch, I noticed we add a "DNS
> >>Administrators" privilege in dns.ldif. Would it make sense to add DNS
> >>administration to "Security Architect" (replication management) and "IT
> >>Specialist" (hosts management)?
> >
> >The DNS stuff is added only if DNS is enabled on the server so I can't
> >add them by default.
> >
> >rob
>
> Updated patch.
>
> rob
Interdiff looks fine, but I'm not able to apply the patch (not even
3-way merge), can you rebase?
More information about the Freeipa-devel
mailing list