[Freeipa-devel] [PATCH] 0505 Default read ACIs for HBAC objects

Martin Kosek mkosek at redhat.com
Mon Apr 7 11:28:00 UTC 2014

On 04/03/2014 12:09 PM, Petr Viktorin wrote:
> Hello,
> This adds read permissions to read HBAC rules, services, and service groups.
> Read access is given to all authenticated users.

So far looked OK in my tests. What about the ACIs like the following one?

(targetattr = "*")(version 3.0; acl "No anonymous access to hbac"; deny
(read,search,compare) userdn != "ldap:///all";)

Do we want to remove them together with this patch to have the change grouped
together with allow ACIs or do you plan to remove all similar deny ACIs at
once? (together with the master read ACI)


More information about the Freeipa-devel mailing list