[Freeipa-devel] Objectclasses for target filters in default permissions

Petr Viktorin pviktori at redhat.com
Thu Jan 9 12:15:54 UTC 2014 

Hello,
When I'm done with [#4074], the "type" permissions will use a target 
filter, e.g.:

     ipa permission-add \
         'Modify Account Expiration' \
         --attr=krbPrincipalExpiration \
         --type=user --perm=write

should result in this ACI at cn=users,...:

     (targetattr = "krbPrincipalExpiration")
     (targetfilter = "(objectclass=ipauser)")
     (version 3.0;
         acl "permission:Modify Account Expiration";
         allow (write) groupdn = "ldap:///cn=Modify Account 
Expiration,cn=permissions,cn=pbac,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)

The probjem is matching the "user" type with the "ipauser" objectclass.
I've looked, but I don't think we have such "canonical objectclasses" 
defined anywhere in the code. There is object_class and 
possible_objectclasses for each object type in the plugins, but these 
aren't adequate: user has "posixaccount"; some have multiple 
objectclasses listed (even `top` in one case). (Of course it's not a 
problem to add multiple classes to the filter, it just seems superfluous.)
I'd like to add a new attribute to LDAPObject that lists the 
objectclass(es) for permission filters. This would also mean the list of 
allowed `type`s for permissions can be pulled from the plugins, rather 
than being hardcoded in the aci/permission plugin.

Here's a list of proposed classes, and the existing lists for reference:


user:
     proposed for filter: ipauser
     object_class: posixaccount
     possible_objectclasses: meporiginentry, ipauserauthtypeclass, 
ipauser, ipatokenradiusproxyuser

group:
     proposed for filter: ipausergroup
     object_class: ipausergroup
     possible_objectclasses: posixGroup, mepManagedEntry, ipaExternalGroup

host:
     proposed for filter: ipahost
     object_class: ipaobject, nshost, ipahost, pkiuser, ipaservice
     possible_objectclasses: (none)

service:
     proposed for filter: ipaservice
     object_class: krbprincipal, krbprincipalaux, krbticketpolicyaux, 
ipaobject, ipaservice, pkiuser
     possible_objectclasses: ipakrbprincipal

hostgroup:
     proposed for filter: ipahostgroup
     object_class: ipaobject, ipahostgroup
     possible_objectclasses: (none)

netgroup:
     proposed for filter: ipanisnetgroup
     object_class: ipaobject, ipaassociation, ipanisnetgroup
     possible_objectclasses: (none)

dnsrecord:
     proposed for filter: idnsrecord
     object_class: top, idnsrecord
     possible_objectclasses: (none)


[#4074]: https://fedorahosted.org/freeipa/ticket/4074

-- 
Petr³

More information about the Freeipa-devel mailing list