[Freeipa-devel] [PATCH 0413] fix permission: Read Replication Agreements

Martin Basti mbasti at redhat.com
Wed Feb 24 14:43:34 UTC 2016 


On 24.02.2016 13:36, Jan Cholasta wrote:
> On 24.2.2016 13:07, Martin Basti wrote:
>>
>>
>> On 24.02.2016 10:45, Jan Cholasta wrote:
>>> On 23.2.2016 17:20, Martin Basti wrote:
>>>>
>>>>
>>>> On 22.02.2016 09:00, Jan Cholasta wrote:
>>>>> Hi,
>>>>>
>>>>> On 17.2.2016 14:49, Martin Basti wrote:
>>>>>> https://fedorahosted.org/freeipa/ticket/5631
>>>>>>
>>>>>> Patch attached (for master, 4.3, 4.2)
>>>>>
>>>>> 1) All the replication agreement permission ACIs should be located in
>>>>> the same entry. Currently "Read Replication Agreements" is in
>>>>> "cn=config" and everything else in "cn=mapping tree,cn=config", so I
>>>>> guess "cn=mapping tree,cn=config" makes more sense.
>>>>>
>>>>>
>>>>> 2) Instead of literal DN('cn=permissions,cn=pbac'), use
>>>>> api.env.container_permissions.
>>>>>
>>>>>
>>>>> 3) IMO the removal of managed permission attributes could be a little
>>>>> bit more robust. You should check that the original entry contains 
>>>>> all
>>>>> the required values before touching it (objectclass=ipapermissionv2,
>>>>> ipapermissiontype=V2, ipapermissiontype=MANAGED) and remove only the
>>>>> values that need to be removed, instead of just overwriting 
>>>>> everything.
>>>>>
>>>>>
>>>>> Honza
>>>>>
>>>> Updated patch attached.
>>>
>>> The patch does not apply on ipa-4-2.
>>>
>> I will send it later.
>>
>>> Also this bit in replica-acis.ldif is redundant:
>>>
>>> +
>>> +dn: cn=mapping tree,cn=config
>>> +changetype: modify
>>> +add: aci
>> All related ACIs to replication are in both replica-acis.ldif and
>> 20-aci.update.
>> I just do not want to mess it more than it is.
>
> What I'm trying to say is that:
>
>     dn: cn=mapping tree,cn=config
>     changetype: modify
>     add: aci
>     aci: $ACI1
>
>     dn: cn=mapping tree,cn=config
>     changetype: modify
>     add: aci
>     aci: $ACI2
>
> is the same as:
>
>     dn: cn=mapping tree,cn=config
>     changetype: modify
>     add: aci
>     aci: $ACI1
>     aci: $ACI2
>
> . You actually have it right in 20-aci.update, but not in 
> replica-acis.ldif.
>
I made it in that way to keep consistency in the replica-acis.ldif file.

Patch for 4-2 added


-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-4-2-mbasti-0413.2-fix-permission-Read-Replication-Agreements.patch
Type: text/x-patch
Size: 20645 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20160224/2edb5540/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mbasti-0413.2-fix-permission-Read-Replication-Agreements.patch
Type: text/x-patch
Size: 21364 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20160224/2edb5540/attachment-0001.bin>

More information about the Freeipa-devel mailing list