[Freeipa-devel] Design Review Keytab Retrieval

Simo Sorce simo at redhat.com
Mon Jun 23 18:35:06 UTC 2014 

----- Original Message -----
> ----- Original Message -----
> > > Can you check if ipaProtectedOperation is in the aci attribute in the
> > > base tree object ?
> > > It should be there as excluded, and that should cause admin to not be
> > > able to retrieve keytabs.
> > 
> > It was not. While running ipa-ldap-updater I got the following:
> > InvalidSyntax: ACL Syntax Error(-5):(targetattr=
> > \22ipaProtectedOperation;write_keys\22)(version 3.0; acl \22Admins are
> > allowed to rekey any entity\22; allow(write) groupdn =
> > \22ldap:///cn=admins: Invalid syntax.
> 
> Uhmm I do not see anything obviously wrong with ACI instruction, it looks
> just like the one I replace, Ideas ?
> Do you have ipaProtectedOperation in the schema ?
> 
> (I rebased patch 3 but will wait to send a patchset until we understand (and
> fix) why this is failing to update.

Ok, apparently it was a quoting issue in the .update files, hopefully that's
the only issue (I am at a conference today and do not have my test env. handy).

The attached patches are rebased on the latest master.

Simo.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-keytabs-Modularize-setkeytab-operation.patch
Type: text/x-patch
Size: 36280 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140623/d3cbdf75/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-keytabs-Expose-and-modify-key-encoding-function.patch
Type: text/x-patch
Size: 5297 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140623/d3cbdf75/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0003-keytab-Add-new-extended-operation-to-get-a-keytab.patch
Type: text/x-patch
Size: 32006 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140623/d3cbdf75/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0004-ipa-getkeytab-Modularize-ldap_set_keytab-function.patch
Type: text/x-patch
Size: 11294 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140623/d3cbdf75/attachment-0003.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0005-ipa-getkeytab-Add-support-for-get_keytab-extop.patch
Type: text/x-patch
Size: 16607 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140623/d3cbdf75/attachment-0004.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0006-man-Add-r-option-to-ipa-getkeytab.1.patch
Type: text/x-patch
Size: 2016 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140623/d3cbdf75/attachment-0005.bin>

More information about the Freeipa-devel mailing list