[Freeipa-devel] [PATCH 0413] fix permission: Read Replication Agreements
Jan Cholasta
jcholast at redhat.com
Wed Feb 24 09:45:15 UTC 2016
On 23.2.2016 17:20, Martin Basti wrote:
>
>
> On 22.02.2016 09:00, Jan Cholasta wrote:
>> Hi,
>>
>> On 17.2.2016 14:49, Martin Basti wrote:
>>> https://fedorahosted.org/freeipa/ticket/5631
>>>
>>> Patch attached (for master, 4.3, 4.2)
>>
>> 1) All the replication agreement permission ACIs should be located in
>> the same entry. Currently "Read Replication Agreements" is in
>> "cn=config" and everything else in "cn=mapping tree,cn=config", so I
>> guess "cn=mapping tree,cn=config" makes more sense.
>>
>>
>> 2) Instead of literal DN('cn=permissions,cn=pbac'), use
>> api.env.container_permissions.
>>
>>
>> 3) IMO the removal of managed permission attributes could be a little
>> bit more robust. You should check that the original entry contains all
>> the required values before touching it (objectclass=ipapermissionv2,
>> ipapermissiontype=V2, ipapermissiontype=MANAGED) and remove only the
>> values that need to be removed, instead of just overwriting everything.
>>
>>
>> Honza
>>
> Updated patch attached.
The patch does not apply on ipa-4-2.
Also this bit in replica-acis.ldif is redundant:
+
+dn: cn=mapping tree,cn=config
+changetype: modify
+add: aci
Honza
--
Jan Cholasta
More information about the Freeipa-devel
mailing list