[Freeipa-devel] [PATCH] 0505 Default read ACIs for HBAC objects

Petr Viktorin pviktori at redhat.com
Mon Apr 7 11:34:04 UTC 2014

On 04/07/2014 01:28 PM, Martin Kosek wrote:
> On 04/03/2014 12:09 PM, Petr Viktorin wrote:
>> Hello,
>> This adds read permissions to read HBAC rules, services, and service groups.
>> Read access is given to all authenticated users.
> So far looked OK in my tests. What about the ACIs like the following one?
> (targetattr = "*")(version 3.0; acl "No anonymous access to hbac"; deny
> (read,search,compare) userdn != "ldap:///all";)
> Do we want to remove them together with this patch to have the change grouped
> together with allow ACIs or do you plan to remove all similar deny ACIs at
> once? (together with the master read ACI)
> Martin

I want to remove them after removing the global read ACI, so that in the 
mean time we're not allowing more access than we should.


More information about the Freeipa-devel mailing list