[Freeipa-devel] [PATCH 0413] fix permission: Read Replication Agreements
Jan Cholasta
jcholast at redhat.com
Mon Feb 22 08:00:33 UTC 2016
Hi,
On 17.2.2016 14:49, Martin Basti wrote:
> https://fedorahosted.org/freeipa/ticket/5631
>
> Patch attached (for master, 4.3, 4.2)
1) All the replication agreement permission ACIs should be located in
the same entry. Currently "Read Replication Agreements" is in
"cn=config" and everything else in "cn=mapping tree,cn=config", so I
guess "cn=mapping tree,cn=config" makes more sense.
2) Instead of literal DN('cn=permissions,cn=pbac'), use
api.env.container_permissions.
3) IMO the removal of managed permission attributes could be a little
bit more robust. You should check that the original entry contains all
the required values before touching it (objectclass=ipapermissionv2,
ipapermissiontype=V2, ipapermissiontype=MANAGED) and remove only the
values that need to be removed, instead of just overwriting everything.
Honza
--
Jan Cholasta
More information about the Freeipa-devel
mailing list