<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 01/14/2015 12:03 PM, Martin Kosek
wrote:<br>
</div>
<blockquote cite="mid:54B64CE9.7030204@redhat.com" type="cite">
<pre wrap="">On 01/14/2015 10:58 AM, thierry bordaz wrote:
</pre>
<blockquote type="cite">
<pre wrap="">On 01/14/2015 10:15 AM, Petr Viktorin wrote:
</pre>
<blockquote type="cite">
<pre wrap="">On 01/13/2015 10:52 PM, Martin Kosek wrote:
</pre>
<blockquote type="cite">
<pre wrap="">On 01/13/2015 09:55 PM, Simo Sorce wrote:
</pre>
<blockquote type="cite">
<pre wrap="">On Tue, 13 Jan 2015 18:16:11 +0100
Martin Kosek <a class="moz-txt-link-rfc2396E" href="mailto:mkosek@redhat.com"><mkosek@redhat.com></a> wrote:
</pre>
<blockquote type="cite">
<pre wrap="">This is crude first version of the (working) fixes to fix
Winsync/Passsync problems caused by the PermissionV2 refactoring.
Simo/Petr3 or others, any concerns?
</pre>
</blockquote>
<pre wrap="">
The first patch looks good
the second looks .. broad ?
Shouldn't you explicitly allow specific attributes ?
</pre>
</blockquote>
<pre wrap="">
You mean for:
+ 'System: Read LDBM database config': {
+ 'ipapermlocation': DN('cn=config'),
+ 'ipapermtarget': DN('cn=config,cn=ldbm
database,cn=plugins,cn=config'),
+ 'ipapermbindruletype': 'permission',
+ 'ipapermright': {'read', 'search', 'compare'},
+ 'default_privileges': {'Replication Administrators'},
+ 'ipapermdefaultattr': {'*'},
+ },
? I did that as my first try, but then the ACI was not accepted as the
attribute I was looking for (nsslapd-changelogdir) is not in the schema
as the config is just an extensibleObject. But as I was going through
the attributes, I did not see anything super-secret.
Petr, is there any way to make permission plugin accept unknown
attribute in the permission attribute list, or do we need to use "*" in
this case?
</pre>
</blockquote>
<pre wrap="">
The ACL Syntax Error comes straight from the DS, so there's not much IPA can
do. The error suggests adding nsslapd-changelogdir to the schema, but I'm not
sure that's the right solution here.
Thierry, any comments? See the attached LDIF.
</pre>
</blockquote>
<pre wrap="">Actually this limitation was added with the bug
<a class="moz-txt-link-freetext" href="https://bugzilla.redhat.com/show_bug.cgi?id=244229">https://bugzilla.redhat.com/show_bug.cgi?id=244229</a>.
I do not see in the bug, if the ability to define non schema attribute was
creating a problem for IPA
</pre>
</blockquote>
<pre wrap="">
Not before, but with PermissionV2 and especially these patches, we may need to
control access to unknown attributes in extensibleObject objects.
</pre>
</blockquote>
<font face="Times New Roman, Times, serif">One possibility is to
revert that fix (with or without configuration toggle). But then
in a topology with mixed versions of DS, old DS will skipped
those aci.<br>
<br>
Using '*' char is not nice but will guaranty a same evaluation on
all servers. <br>
</font>
</body>
</html>