[Freeipa-devel] [PATCH] 3 Fix ACIs in ipa-adtrust-install

[Sumit Bose]

Hi,

while testing the creation of trust objects I found a typo in the ACI
allowing to read the NT hash and realized that an ACI was missing to
allow the samba user to add and modify the trust objects. The attached
patch should fix it.

bye,
Sumit
-------------- next part --------------
From 6f5adfcd4e4f176230abd48bd8aa8847a2add20a Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose at redhat.com>
Date: Mon, 19 Sep 2011 11:48:05 +0200
Subject: [PATCH] Fix ACIs in ipa-adtrust-install

---
 ipaserver/install/adtrustinstance.py |   15 +++++++++++++--
 1 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py
index f2cc3327deb7fb8b7dacf8aef4c42597cc82ca1d..1bd37d4eb1f93db6609f8c9a06ac02923e9db20b 100644
--- a/ipaserver/install/adtrustinstance.py
+++ b/ipaserver/install/adtrustinstance.py
@@ -102,9 +102,20 @@ class ADTRUSTInstance(service.Service):
         self.admin_conn.add_s(entry)
 
         # And finally grant it permission to read NT passwords, we do not want
-        # to support LM passwords so there is no need to allow access to them
+        # to support LM passwords so there is no need to allow access to them.
+        # Also the premission to create trusted domain objects below the
+        # domain object is granted.
         mod = [(ldap.MOD_ADD, 'aci',
-            str(['(targetattr = "sambaNTPassword")(version 3.0; acl "Samba user can read NT passwords"; allow (read) userdn="ldap:///%s";)' % self.smb_dn]))]
+            str('(targetattr = "sambaNTPassword")' \
+                '(version 3.0; acl "Samba user can read NT passwords";' \
+                'allow (read) userdn="ldap:///%s";)' % self.smb_dn)),
+               (ldap.MOD_ADD, 'aci',
+            str('(target = "ldap:///cn=ad,cn=trusts,%s")' \
+                '(targetattr = "sambaTrustType || sambaTrustAttributes || sambaTrustDirection || sambaTrustPartner || sambaFlatName || sambaTrustAuthOutgoing || sambaTrustAuthIncoming || sambaSecurityIdentifier || sambaTrustForestTrustInfo || sambaTrustPosixOffset || sambaSupportedEncryptionTypes")' \
+                '(version 3.0;acl "Allow samba user to create and delete trust accounts";' \
+                'allow (write,add,delete) userdn = "ldap:///%s";)' % \
+                 (self.suffix, self.smb_dn)))]
+
         try:
             self.admin_conn.modify_s(self.suffix, mod)
         except ldap.TYPE_OR_VALUE_EXISTS:
-- 
1.7.6