[Freeipa-devel] [RFE] Permissions V2
Simo Sorce
simo at redhat.com
Fri Dec 6 14:28:23 UTC 2013
On Fri, 2013-12-06 at 14:14 +0100, Petr Viktorin wrote:
> On 12/02/2013 02:48 PM, Petr Viktorin wrote:
> > On 12/02/2013 02:29 PM, Simo Sorce wrote:
> >> It would be very nice if you can add the resulting LDAP objects in the
> >> example, that will allow me to reason on the correctness of the
> >> translation.
> >
> > OK, I'll work on that.
>
> I've added the resulting LDAP objects to the tests here:
> http://www.freeipa.org/index.php?title=V3/Permissions_V2/tests
Thank you Petr,
I was looking at them and I see we often use target=ldap://<dn> type for
selecting which objects this apply to.
This was sort of necessary when the permissions were all in the base and
we wanted to limit to specific entries in subtrees.
However I was wondering if we shouldn't transition/allow to user
targetfilter or targetattrfilter (this would be needed to have
add/delete permissions).
For example, instead of:
(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")
We could have:
(targetfilter = "(objectclass=ipaUser)")
It also occurs to me we could do very neat things like allowing manager
access with (targetfilter = "(managedby=<dn>)"), and similar.
In general using targetfilter and targetattrfilter is more flexible and
allow for applying different permission depending exacly on the object
type or even specific sets of objects of a common type. Something the
simple target filter cannot do.
What do you think ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list