[Freeipa-devel] [PATCH] 728 default roles
Jan Zelený
jzeleny at redhat.com
Tue Feb 22 12:14:52 UTC 2011
Rob Crittenden <rcritten at redhat.com> wrote:
> Jakub Hrozek wrote:
> > On Mon, Feb 21, 2011 at 10:11:38AM -0500, Rob Crittenden wrote:
> >> Rob Crittenden wrote:
> >>> Jakub Hrozek wrote:
> >>>> -----BEGIN PGP SIGNED MESSAGE-----
> >>>> Hash: SHA1
> >>>>
> >>>> On 02/17/2011 04:35 AM, Rob Crittenden wrote:
> >>>>> Add default roles and permissions for HBAC, SUDO and pw policy
> >>>>>
> >>>>> Created some default roles as examples. In doing so I realized that
> >>>>> we were completely missing default rules for HBAC, SUDO and password
> >>>>> policy so I added those as well.
> >>>>>
> >>>>> I ran into a problem when the updater has a default record and an add
> >>>>> at the same time, it should handle it better now.
> >>>>>
> >>>>> ticket 585
> >>>>>
> >>>>> rob
> >>>>
> >>>> I'm not sure about the HBAC rules ACIs. They are specified as:
> >>>>
> >>>> 'target = "ldap:///cn=*,cn=hbac,$SUFFIX"'
> >>>>
> >>>> while HBAC rules' DN is:
> >>>>
> >>>> 'ipauniqueid=*,cn=hbac,$SUFFIX'.
> >>>>
> >>>> But HBAC rules do have a cn: attribute, so maybe the ACIs would work?
> >>>
> >>> No, you're right, this is wrong. I'll fix it up and resubmit.
> >>>
> >>>> The patch also needs rebasing on top of recent changes to
> >>>> install/updates/Makefile.am
> >>>>
> >>>> Other than that, looks OK to me.
> >>>>
> >>>> btw when I was reviewing this patch, I noticed we add a "DNS
> >>>> Administrators" privilege in dns.ldif. Would it make sense to add DNS
> >>>> administration to "Security Architect" (replication management) and
> >>>> "IT Specialist" (hosts management)?
> >>>
> >>> The DNS stuff is added only if DNS is enabled on the server so I can't
> >>> add them by default.
> >>>
> >>> rob
> >>
> >> Updated patch.
> >>
> >> rob
> >
> > Interdiff looks fine, but I'm not able to apply the patch (not even
> > 3-way merge), can you rebase?
>
> done
The patch now applies ok (just one whitespace warning), ack
Jan
More information about the Freeipa-devel
mailing list