[Freeipa-devel] [PATCH] 488-489 PermissionsV2 related winsync fixes
Martin Kosek
mkosek at redhat.com
Tue Jan 13 21:52:05 UTC 2015
On 01/13/2015 09:55 PM, Simo Sorce wrote:
> On Tue, 13 Jan 2015 18:16:11 +0100
> Martin Kosek <mkosek at redhat.com> wrote:
>
>> This is crude first version of the (working) fixes to fix
>> Winsync/Passsync problems caused by the PermissionV2 refactoring.
>>
>> Simo/Petr3 or others, any concerns?
>>
>
> The first patch looks good
> the second looks .. broad ?
>
> Shouldn't you explicitly allow specific attributes ?
You mean for:
+ 'System: Read LDBM database config': {
+ 'ipapermlocation': DN('cn=config'),
+ 'ipapermtarget': DN('cn=config,cn=ldbm database,cn=plugins,cn=config'),
+ 'ipapermbindruletype': 'permission',
+ 'ipapermright': {'read', 'search', 'compare'},
+ 'default_privileges': {'Replication Administrators'},
+ 'ipapermdefaultattr': {'*'},
+ },
? I did that as my first try, but then the ACI was not accepted as the
attribute I was looking for (nsslapd-changelogdir) is not in the schema as the
config is just an extensibleObject. But as I was going through the attributes,
I did not see anything super-secret.
Petr, is there any way to make permission plugin accept unknown attribute in
the permission attribute list, or do we need to use "*" in this case?
More information about the Freeipa-devel
mailing list