[Freeipa-devel] Design Review Keytab Retrieval
Martin Kosek
mkosek at redhat.com
Thu Jun 26 08:37:42 UTC 2014
On 06/26/2014 04:29 AM, Nathaniel McCallum wrote:
> On Mon, 2014-06-23 at 17:24 -0400, Nathaniel McCallum wrote:
>> On Mon, 2014-06-23 at 14:35 -0400, Simo Sorce wrote:
>>> ----- Original Message -----
>>>> ----- Original Message -----
>>>>>> Can you check if ipaProtectedOperation is in the aci attribute in the
>>>>>> base tree object ?
>>>>>> It should be there as excluded, and that should cause admin to not be
>>>>>> able to retrieve keytabs.
>>>>>
>>>>> It was not. While running ipa-ldap-updater I got the following:
>>>>> InvalidSyntax: ACL Syntax Error(-5):(targetattr=
>>>>> \22ipaProtectedOperation;write_keys\22)(version 3.0; acl \22Admins are
>>>>> allowed to rekey any entity\22; allow(write) groupdn =
>>>>> \22ldap:///cn=admins: Invalid syntax.
>>>>
>>>> Uhmm I do not see anything obviously wrong with ACI instruction, it looks
>>>> just like the one I replace, Ideas ?
>>>> Do you have ipaProtectedOperation in the schema ?
>>>>
>>>> (I rebased patch 3 but will wait to send a patchset until we understand (and
>>>> fix) why this is failing to update.
>>>
>>> Ok, apparently it was a quoting issue in the .update files, hopefully that's
>>> the only issue (I am at a conference today and do not have my test env. handy).
>>>
>>> The attached patches are rebased on the latest master.
>>
>> 0001: Line 555 has very wrong indentation.
>>
>> I don't see anything else wrong in the other patches. I've tested
>> everything and it works as designed.
>>
>> I have CC'd everyone who was involved with review at any point on these
>> patches. This serves as my public notice that I'd like to ACK the next
>> round of patches. If anyone has anything else to add, please do it
>> before tomorrow evening. Thanks!
>>
>> Nathaniel
>
> ACK
>
> Nathaniel
Pushed all 6 patches to master. Thanks for careful review!
Martin
More information about the Freeipa-devel
mailing list