[Freeipa-devel] Objectclasses for target filters in default permissions
Petr Viktorin
pviktori at redhat.com
Thu Jan 9 14:14:42 UTC 2014
On 01/09/2014 03:07 PM, Simo Sorce wrote:
> On Thu, 2014-01-09 at 13:15 +0100, Petr Viktorin wrote:
>> Hello,
>> When I'm done with [#4074], the "type" permissions will use a target
>> filter, e.g.:
>>
>> ipa permission-add \
>> 'Modify Account Expiration' \
>> --attr=krbPrincipalExpiration \
>> --type=user --perm=write
>>
>> should result in this ACI at cn=users,...:
>>
>> (targetattr = "krbPrincipalExpiration")
>> (targetfilter = "(objectclass=ipauser)")
>> (version 3.0;
>> acl "permission:Modify Account Expiration";
>> allow (write) groupdn = "ldap:///cn=Modify Account
>> Expiration,cn=permissions,cn=pbac,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)
>>
>> The probjem is matching the "user" type with the "ipauser" objectclass.
>> I've looked, but I don't think we have such "canonical objectclasses"
>> defined anywhere in the code. There is object_class and
>> possible_objectclasses for each object type in the plugins, but these
>> aren't adequate: user has "posixaccount"; some have multiple
>> objectclasses listed (even `top` in one case). (Of course it's not a
>> problem to add multiple classes to the filter, it just seems superfluous.)
>> I'd like to add a new attribute to LDAPObject that lists the
>> objectclass(es) for permission filters. This would also mean the list of
>> allowed `type`s for permissions can be pulled from the plugins, rather
>> than being hardcoded in the aci/permission plugin.
>
> Sounds reasonable, I trust the objetclass can be manually changed anyway
> if an admin needs to do so ?
>
> Simo.
Yes, `type` is just a convenience shortcut to set the location + filter,
which can be manipulated individually.
Removing the objectclass filter would make the permission no longer show
up as that `type`.
--
Petr³
More information about the Freeipa-devel
mailing list