[Freeipa-devel] [PATCH] 488-489 PermissionsV2 related winsync fixes
Petr Viktorin
pviktori at redhat.com
Wed Jan 14 09:15:17 UTC 2015
On 01/13/2015 10:52 PM, Martin Kosek wrote:
> On 01/13/2015 09:55 PM, Simo Sorce wrote:
>> On Tue, 13 Jan 2015 18:16:11 +0100
>> Martin Kosek <mkosek at redhat.com> wrote:
>>
>>> This is crude first version of the (working) fixes to fix
>>> Winsync/Passsync problems caused by the PermissionV2 refactoring.
>>>
>>> Simo/Petr3 or others, any concerns?
>>>
>>
>> The first patch looks good
>> the second looks .. broad ?
>>
>> Shouldn't you explicitly allow specific attributes ?
>
> You mean for:
>
> + 'System: Read LDBM database config': {
> + 'ipapermlocation': DN('cn=config'),
> + 'ipapermtarget': DN('cn=config,cn=ldbm
> database,cn=plugins,cn=config'),
> + 'ipapermbindruletype': 'permission',
> + 'ipapermright': {'read', 'search', 'compare'},
> + 'default_privileges': {'Replication Administrators'},
> + 'ipapermdefaultattr': {'*'},
> + },
>
> ? I did that as my first try, but then the ACI was not accepted as the
> attribute I was looking for (nsslapd-changelogdir) is not in the schema
> as the config is just an extensibleObject. But as I was going through
> the attributes, I did not see anything super-secret.
>
> Petr, is there any way to make permission plugin accept unknown
> attribute in the permission attribute list, or do we need to use "*" in
> this case?
The ACL Syntax Error comes straight from the DS, so there's not much IPA
can do. The error suggests adding nsslapd-changelogdir to the schema,
but I'm not sure that's the right solution here.
Thierry, any comments? See the attached LDIF.
--
Petr³
-------------- next part --------------
A non-text attachment was scrubbed...
Name: add-changelogdir-aci.ldif
Type: text/x-ldif
Size: 178 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150114/336a5b9b/attachment.bin>
More information about the Freeipa-devel
mailing list