[Freeipa-devel] [PATCH 0413] fix permission: Read Replication Agreements
Jan Cholasta
jcholast at redhat.com
Wed Feb 24 12:36:51 UTC 2016
On 24.2.2016 13:07, Martin Basti wrote:
>
>
> On 24.02.2016 10:45, Jan Cholasta wrote:
>> On 23.2.2016 17:20, Martin Basti wrote:
>>>
>>>
>>> On 22.02.2016 09:00, Jan Cholasta wrote:
>>>> Hi,
>>>>
>>>> On 17.2.2016 14:49, Martin Basti wrote:
>>>>> https://fedorahosted.org/freeipa/ticket/5631
>>>>>
>>>>> Patch attached (for master, 4.3, 4.2)
>>>>
>>>> 1) All the replication agreement permission ACIs should be located in
>>>> the same entry. Currently "Read Replication Agreements" is in
>>>> "cn=config" and everything else in "cn=mapping tree,cn=config", so I
>>>> guess "cn=mapping tree,cn=config" makes more sense.
>>>>
>>>>
>>>> 2) Instead of literal DN('cn=permissions,cn=pbac'), use
>>>> api.env.container_permissions.
>>>>
>>>>
>>>> 3) IMO the removal of managed permission attributes could be a little
>>>> bit more robust. You should check that the original entry contains all
>>>> the required values before touching it (objectclass=ipapermissionv2,
>>>> ipapermissiontype=V2, ipapermissiontype=MANAGED) and remove only the
>>>> values that need to be removed, instead of just overwriting everything.
>>>>
>>>>
>>>> Honza
>>>>
>>> Updated patch attached.
>>
>> The patch does not apply on ipa-4-2.
>>
> I will send it later.
>
>> Also this bit in replica-acis.ldif is redundant:
>>
>> +
>> +dn: cn=mapping tree,cn=config
>> +changetype: modify
>> +add: aci
> All related ACIs to replication are in both replica-acis.ldif and
> 20-aci.update.
> I just do not want to mess it more than it is.
What I'm trying to say is that:
dn: cn=mapping tree,cn=config
changetype: modify
add: aci
aci: $ACI1
dn: cn=mapping tree,cn=config
changetype: modify
add: aci
aci: $ACI2
is the same as:
dn: cn=mapping tree,cn=config
changetype: modify
add: aci
aci: $ACI1
aci: $ACI2
. You actually have it right in 20-aci.update, but not in replica-acis.ldif.
--
Jan Cholasta
More information about the Freeipa-devel
mailing list