[Freeipa-devel] [PATCH 0413] fix permission: Read Replication Agreements
Martin Basti
mbasti at redhat.com
Wed Feb 24 12:07:15 UTC 2016
On 24.02.2016 10:45, Jan Cholasta wrote:
> On 23.2.2016 17:20, Martin Basti wrote:
>>
>>
>> On 22.02.2016 09:00, Jan Cholasta wrote:
>>> Hi,
>>>
>>> On 17.2.2016 14:49, Martin Basti wrote:
>>>> https://fedorahosted.org/freeipa/ticket/5631
>>>>
>>>> Patch attached (for master, 4.3, 4.2)
>>>
>>> 1) All the replication agreement permission ACIs should be located in
>>> the same entry. Currently "Read Replication Agreements" is in
>>> "cn=config" and everything else in "cn=mapping tree,cn=config", so I
>>> guess "cn=mapping tree,cn=config" makes more sense.
>>>
>>>
>>> 2) Instead of literal DN('cn=permissions,cn=pbac'), use
>>> api.env.container_permissions.
>>>
>>>
>>> 3) IMO the removal of managed permission attributes could be a little
>>> bit more robust. You should check that the original entry contains all
>>> the required values before touching it (objectclass=ipapermissionv2,
>>> ipapermissiontype=V2, ipapermissiontype=MANAGED) and remove only the
>>> values that need to be removed, instead of just overwriting everything.
>>>
>>>
>>> Honza
>>>
>> Updated patch attached.
>
> The patch does not apply on ipa-4-2.
>
I will send it later.
> Also this bit in replica-acis.ldif is redundant:
>
> +
> +dn: cn=mapping tree,cn=config
> +changetype: modify
> +add: aci
All related ACIs to replication are in both replica-acis.ldif and
20-aci.update.
I just do not want to mess it more than it is.
>
> Honza
>
Martin^2
More information about the Freeipa-devel
mailing list