[Freeipa-devel] [PATCH 0303] ipalib: Make sure correct attribute name is referenced for

Tomas Babej tbabej at redhat.com
Thu Feb 19 17:19:05 UTC 2015 

On 02/19/2015 06:13 PM, Martin Kosek wrote:
> On 02/19/2015 05:55 PM, Tomas Babej wrote:
>> On 02/19/2015 05:45 PM, Martin Kosek wrote:
>>> On 02/19/2015 05:40 PM, Alexander Bokovoy wrote:
>>>> On Thu, 19 Feb 2015, Tomas Babej wrote:
>>>>> On 02/19/2015 05:32 PM, Martin Kosek wrote:
>>>>>> On 02/19/2015 05:29 PM, Alexander Bokovoy wrote:
>>>>>>> On Thu, 19 Feb 2015, Tomas Babej wrote:
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> Fixes the invalid attribute name reference in the
>>>>>>>> 'System: Read User Addressbook Attributes' permission.
>>>>>>>>
>>>>>>>> https://fedorahosted.org/freeipa/ticket/4883
>>>>>>>>
>>>>>>>> Tomas
>>>>>>>>>   From 93ab1bf897151992df4bd3588386cf8fed4849d2 Mon Sep 17 00:00:00 2001
>>>>>>>> From: Tomas Babej <tbabej at redhat.com>
>>>>>>>> Date: Thu, 19 Feb 2015 17:10:37 +0100
>>>>>>>> Subject: [PATCH] ipalib: Make sure correct attribute name is referenced for
>>>>>>>> fax
>>>>>>>>
>>>>>>>> Fixes the invalid attribute name reference in the
>>>>>>>> 'System: Read User Addressbook Attributes' permission.
>>>>>>>>
>>>>>>>> https://fedorahosted.org/freeipa/ticket/4883
>>>>>>>> ---
>>>>>>>> ipalib/plugins/user.py | 2 +-
>>>>>>>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>>>>>>>
>>>>>>>> diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py
>>>>>>>> index
>>>>>>>> 56585b9f86593c0c5879139103bc71707b88e15f..abe5ee26b8e48681eeb0cbb3bcff8617e212225c
>>>>>>>>
>>>>>>>>
>>>>>>>> 100644
>>>>>>>> --- a/ipalib/plugins/user.py
>>>>>>>> +++ b/ipalib/plugins/user.py
>>>>>>>> @@ -276,7 +276,7 @@ class user(LDAPObject):
>>>>>>>>               'ipapermright': {'read', 'search', 'compare'},
>>>>>>>>               'ipapermdefaultattr': {
>>>>>>>>                   'seealso', 'telephonenumber',
>>>>>>>> -                'fax', 'l', 'ou', 'st', 'postalcode', 'street',
>>>>>>>> +                'facsimiletelephonenumber', 'l', 'ou', 'st', 'postalcode',
>>>>>>>> 'street',
>>>>>>>>                   'destinationindicator', 'internationalisdnnumber',
>>>>>>>>                   'physicaldeliveryofficename', 'postaladdress',
>>>>>>>> 'postofficebox',
>>>>>>>>                   'preferreddeliverymethod', 'registeredaddress',
>>>>>>> 00core.ldif still contains 'fax' definition as an alias to
>>>>>>> 'facsimileTelephoneNumber' so strictly speaking both should be allowed
>>>>>>> even though 'fax' attribute name is deprecated.
>>>>>> Should, but does not (I tested). This may be a gap in DS ACI evaluation.
>>>>>> However, for FreeIPA side, I prefer Tomas' change, even for compatibility
>>>>>> with
>>>>>> other DS-es - so ACK from me.
>>>>> Martin is right, however, I think Alexander was pointing out that we should
>>>>> support the deprecated name 'fax', as well as 'facsimileTelephoneNumber'
>>>>> directly in the 'System: Read User Addressbook Attributes' read permission.
>>>>>
>>>>> Am I reading this correctly?
>>>> Exactly, both names should be supported in the ACI.
>>> Ah, I thought you were referring to DS, not being to able to recognize the
>>> alias. Although following this logic, we should for example also have ACIs for
>>> commonName, given it's alias for "cn", right?
>> Attaching updated patch with both fax and facsimileTelephoneNumber.
>>
>> However, Martin is right, the problem occurs multiple times:
>>
>> attributeTypes: ( 2.5.4.6 NAME ( 'c' 'countryName' )
>> attributeTypes: ( 2.5.4.3 NAME ( 'cn' 'commonName' )
>> attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' )
>> attributeTypes: ( 2.5.4.49 NAME ( 'distinguishedName' 'dn' )
>> attributeTypes: ( 2.5.4.23 NAME ( 'facsimileTelephoneNumber' 'fax' )
>> attributeTypes: ( 2.5.4.7 NAME ( 'l' 'locality' 'localityname' )
>> attributeTypes: ( 2.5.4.10 NAME ( 'o' 'organizationname' )
>> attributeTypes: ( 2.5.4.11 NAME ( 'ou' 'organizationalUnitName' )
>> attributeTypes: ( 2.5.4.4 NAME ( 'sn' 'surName' )
>> attributeTypes: ( 2.5.4.8 NAME ( 'st' 'stateOrProvinceName' )
>> attributeTypes: ( 2.5.4.9 NAME ( 'street' 'streetaddress' )
>> attributeTypes: ( 0.9.2342.19200300.100.1.1 NAME ( 'uid' 'userid' )
> I would personally still be OK only with the fax attribute (the original patch)
> - so that our behavior is consistent with these attributes. Should not harm us
> as our API only supports facsimileTelephoneNumber anyway.
>
> Not a blocker though.

I agree here. Attaching the final version, the original patch was 
missing the ACI.txt update.

Tomas

-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-tbabej-0303-3-ipalib-Make-sure-correct-attribute-name-is-reference.patch
Type: text/x-patch
Size: 4062 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150219/a6a3a584/attachment.bin>

More information about the Freeipa-devel mailing list