[Freeipa-devel] [PATCH 0052] Stage User: Fix permissions naming and split them where, apropriate.
thierry bordaz
tbordaz at redhat.com
Thu Jun 11 12:12:42 UTC 2015
On 06/10/2015 02:14 PM, David Kupka wrote:
> https://fedorahosted.org/freeipa/ticket/5057
Hello David,
The patch looks ok except it removes a permission to update 'uid' from
an active user. This permission is required to delete(preserve) an
active user.
- # Active container
- #
- # Stage user administrators need write right on RDN when
- # the active user is deleted (preserved)
- 'System: Write Active Users RDN by administrators': {
- 'ipapermlocation': DN(baseuser.active_container_dn,
api.env.basedn),
- 'ipapermbindruletype': 'permission',
- 'ipapermtarget': DN('uid=*',
baseuser.active_container_dn, api.env.basedn),
- 'ipapermtargetfilter': {'(objectclass=posixaccount)'},
- 'ipapermright': {'write'},
- 'ipapermdefaultattr': {'uid'},
- 'default_privileges': {'Stage User Administrators'},
- },
- #
I prepared a new patch (attached) with that permission and it makes
'user-del --preserve' happy.
Now I think the name would rather be something like: 'System: Preserve
an active user (user-del --preserve)'
I also added back this comment in two permissions 'Note: targetfilter is
the target parent container'.
This was to say that the targetfilter setting was intentional.
If you think it is not the right place, you may remove those comments.
Thanks
thierry
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150611/0f7f54fa/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Stage-User-Fix-permissions-naming-and-split-them-whe.patch
Type: text/x-patch
Size: 17532 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150611/0f7f54fa/attachment.bin>
More information about the Freeipa-devel
mailing list