[Freeipa-devel] [PATCH 0413] fix permission: Read Replication Agreements

Jan Cholasta jcholast at redhat.com
Thu Feb 25 13:30:26 UTC 2016 

On 24.2.2016 15:43, Martin Basti wrote:
>
>
> On 24.02.2016 13:36, Jan Cholasta wrote:
>> On 24.2.2016 13:07, Martin Basti wrote:
>>>
>>>
>>> On 24.02.2016 10:45, Jan Cholasta wrote:
>>>> On 23.2.2016 17:20, Martin Basti wrote:
>>>>>
>>>>>
>>>>> On 22.02.2016 09:00, Jan Cholasta wrote:
>>>>>> Hi,
>>>>>>
>>>>>> On 17.2.2016 14:49, Martin Basti wrote:
>>>>>>> https://fedorahosted.org/freeipa/ticket/5631
>>>>>>>
>>>>>>> Patch attached (for master, 4.3, 4.2)
>>>>>>
>>>>>> 1) All the replication agreement permission ACIs should be located in
>>>>>> the same entry. Currently "Read Replication Agreements" is in
>>>>>> "cn=config" and everything else in "cn=mapping tree,cn=config", so I
>>>>>> guess "cn=mapping tree,cn=config" makes more sense.
>>>>>>
>>>>>>
>>>>>> 2) Instead of literal DN('cn=permissions,cn=pbac'), use
>>>>>> api.env.container_permissions.
>>>>>>
>>>>>>
>>>>>> 3) IMO the removal of managed permission attributes could be a little
>>>>>> bit more robust. You should check that the original entry contains
>>>>>> all
>>>>>> the required values before touching it (objectclass=ipapermissionv2,
>>>>>> ipapermissiontype=V2, ipapermissiontype=MANAGED) and remove only the
>>>>>> values that need to be removed, instead of just overwriting
>>>>>> everything.
>>>>>>
>>>>>>
>>>>>> Honza
>>>>>>
>>>>> Updated patch attached.
>>>>
>>>> The patch does not apply on ipa-4-2.
>>>>
>>> I will send it later.
>>>
>>>> Also this bit in replica-acis.ldif is redundant:
>>>>
>>>> +
>>>> +dn: cn=mapping tree,cn=config
>>>> +changetype: modify
>>>> +add: aci
>>> All related ACIs to replication are in both replica-acis.ldif and
>>> 20-aci.update.
>>> I just do not want to mess it more than it is.
>>
>> What I'm trying to say is that:
>>
>>     dn: cn=mapping tree,cn=config
>>     changetype: modify
>>     add: aci
>>     aci: $ACI1
>>
>>     dn: cn=mapping tree,cn=config
>>     changetype: modify
>>     add: aci
>>     aci: $ACI2
>>
>> is the same as:
>>
>>     dn: cn=mapping tree,cn=config
>>     changetype: modify
>>     add: aci
>>     aci: $ACI1
>>     aci: $ACI2
>>
>> . You actually have it right in 20-aci.update, but not in
>> replica-acis.ldif.
>>
> I made it in that way to keep consistency in the replica-acis.ldif file.

I see. I missed that.

>
> Patch for 4-2 added

Thanks, ACK.

Pushed to:
master: bba2355631c4cbadfb5089663c2a3af65a817fb7
ipa-4-2: de7ec77ea8811a6add2eab5d0853686484ae732c
ipa-4-3: 2bac05a18720c4ab84bc1de5573d3d96e73ddc55

-- 
Jan Cholasta

More information about the Freeipa-devel mailing list