[Freeipa-devel] [PATCH 0233] trusts: Add more read attributes
Tomas Babej
tbabej at redhat.com
Wed Jun 25 11:47:28 UTC 2014
On 06/25/2014 11:45 AM, Petr Viktorin wrote:
> On 06/24/2014 08:15 PM, Tomas Babej wrote:
>> Attaching patch 234, which resolves another ACI issue related to trusts.
>>
>> On 06/24/2014 02:50 PM, Tomas Babej wrote:
>>> Hi,
>>>
>>> this is a follow up patch for 232. Read access to additional attributes
>>> is required for the trust objects.
>>>
>
> First patch looks fine.
>
> For the second: should the trust ACIs apply to other objects than
> (objectclas=ipanttrusteddomain)?
> If not, we can enable "--type=trust" permissions and use it to specify
> location & filter, see attached patch.
>
>
Turns out there are also kerberos principals stored under cn=trust tree
and this filter would block the access to them.
Attached is a new version of 234, which allows reading krbPrincipalName
as well.
--
Tomas Babej
Associate Software Engineer | Red Hat | Identity Management
RHCE | Brno Site | IRC: tbabej | freeipa.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-tbabej-0234-2-trusts-Allow-reading-system-trust-accounts-by-adtrus.patch
Type: text/x-patch
Size: 3820 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140625/ffbc6b9c/attachment.bin>
More information about the Freeipa-devel
mailing list