[Freeipa-devel] [PATCH] 477 Add Modify Realm Domains permission

Martin Kosek mkosek at redhat.com
Fri Jul 4 08:08:23 UTC 2014 

On 07/04/2014 10:00 AM, Petr Spacek wrote:
> On 4.7.2014 09:34, Martin Kosek wrote:
>> The permission is required for DNS Administrators as realm domains
>> object is updated when a master zone is added.
>>
>> https://fedorahosted.org/freeipa/ticket/4423
> 
> I can't resist ;-)
> 
> NACK: Build failed.
> 
> --- existing ACI.txt
> +++ new result
> @@ -154,6 +154,8 @@
>  aci: (targetattr = "krbmaxpwdlife || krbminpwdlife ||
> krbpwdfailurecountinterval || krbpwdhistorylength || krbpwdlockoutduration ||
> krbpwdmaxfailure || krbpwdmindiffchars || krbpwdminlength")(targetfilter =
> "(objectclass=krbpwdpolicy)")(version 3.0;acl "permission:System: Modify Group
> Password Policy";allow (write) groupdn = "ldap:///cn=System: Modify Group
> Password Policy,cn=permissions,cn=pbac,dc=ipa,dc=example";)
>  dn: cn=System: Read Group Password
> Policy,cn=permissions,cn=pbac,dc=ipa,dc=example
>  aci: (targetattr = "cn || cospriority || krbmaxpwdlife || krbminpwdlife ||
> krbpwdfailurecountinterval || krbpwdhistorylength || krbpwdlockoutduration ||
> krbpwdmaxfailure || krbpwdmindiffchars || krbpwdminlength ||
> objectclass")(targetfilter = "(objectclass=krbpwdpolicy)")(version 3.0;acl
> "permission:System: Read Group Password Policy";allow (compare,read,search)
> groupdn = "ldap:///cn=System: Read Group Password
> Policy,cn=permissions,cn=pbac,dc=ipa,dc=example";)
> +dn: cn=System: Modify Realm Domains,cn=permissions,cn=pbac,dc=ipa,dc=example
> +aci: (targetattr = "associateddomain")(targetfilter =
> "(objectclass=domainrelatedobject)")(version 3.0;acl "permission:System: Modify
> Realm Domains";allow (write) groupdn = "ldap:///cn=System: Modify Realm
> Domains,cn=permissions,cn=pbac,dc=ipa,dc=example";)
>  dn: cn=System: Read Realm Domains,cn=permissions,cn=pbac,dc=ipa,dc=example
>  aci: (targetattr = "associateddomain || cn || objectclass")(targetfilter =
> "(objectclass=domainrelatedobject)")(version 3.0;acl "permission:System: Read
> Realm Domains";allow (compare,read,search) userdn = "ldap:///all";)
>  dn: cn=System: Add Roles,cn=permissions,cn=pbac,dc=ipa,dc=example
> 
> Managed permission ACI validation failed.
> Re-check permission changes and run `makeaci`.
> ACI.txt validation failed

Oh, well - here is an updated patch.

Martin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-477-2-add-modify-realm-domains-permission.patch
Type: text/x-patch
Size: 3145 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140704/ff90dcda/attachment.bin>

More information about the Freeipa-devel mailing list