[Freeipa-devel] [PATCH] 477 Add Modify Realm Domains permission
Petr Spacek
pspacek at redhat.com
Fri Jul 4 10:09:39 UTC 2014
On 4.7.2014 10:08, Martin Kosek wrote:
> On 07/04/2014 10:00 AM, Petr Spacek wrote:
>> On 4.7.2014 09:34, Martin Kosek wrote:
>>> The permission is required for DNS Administrators as realm domains
>>> object is updated when a master zone is added.
>>>
>>> https://fedorahosted.org/freeipa/ticket/4423
>>
>> I can't resist ;-)
>>
>> NACK: Build failed.
>>
>> --- existing ACI.txt
>> +++ new result
>> @@ -154,6 +154,8 @@
>> aci: (targetattr = "krbmaxpwdlife || krbminpwdlife ||
>> krbpwdfailurecountinterval || krbpwdhistorylength || krbpwdlockoutduration ||
>> krbpwdmaxfailure || krbpwdmindiffchars || krbpwdminlength")(targetfilter =
>> "(objectclass=krbpwdpolicy)")(version 3.0;acl "permission:System: Modify Group
>> Password Policy";allow (write) groupdn = "ldap:///cn=System: Modify Group
>> Password Policy,cn=permissions,cn=pbac,dc=ipa,dc=example";)
>> dn: cn=System: Read Group Password
>> Policy,cn=permissions,cn=pbac,dc=ipa,dc=example
>> aci: (targetattr = "cn || cospriority || krbmaxpwdlife || krbminpwdlife ||
>> krbpwdfailurecountinterval || krbpwdhistorylength || krbpwdlockoutduration ||
>> krbpwdmaxfailure || krbpwdmindiffchars || krbpwdminlength ||
>> objectclass")(targetfilter = "(objectclass=krbpwdpolicy)")(version 3.0;acl
>> "permission:System: Read Group Password Policy";allow (compare,read,search)
>> groupdn = "ldap:///cn=System: Read Group Password
>> Policy,cn=permissions,cn=pbac,dc=ipa,dc=example";)
>> +dn: cn=System: Modify Realm Domains,cn=permissions,cn=pbac,dc=ipa,dc=example
>> +aci: (targetattr = "associateddomain")(targetfilter =
>> "(objectclass=domainrelatedobject)")(version 3.0;acl "permission:System: Modify
>> Realm Domains";allow (write) groupdn = "ldap:///cn=System: Modify Realm
>> Domains,cn=permissions,cn=pbac,dc=ipa,dc=example";)
>> dn: cn=System: Read Realm Domains,cn=permissions,cn=pbac,dc=ipa,dc=example
>> aci: (targetattr = "associateddomain || cn || objectclass")(targetfilter =
>> "(objectclass=domainrelatedobject)")(version 3.0;acl "permission:System: Read
>> Realm Domains";allow (compare,read,search) userdn = "ldap:///all";)
>> dn: cn=System: Add Roles,cn=permissions,cn=pbac,dc=ipa,dc=example
>>
>> Managed permission ACI validation failed.
>> Re-check permission changes and run `makeaci`.
>> ACI.txt validation failed
>
> Oh, well - here is an updated patch.
ACK from functional perspective. I'm not able to reproduce the problem with
the patch applied. I have tested clean installation and also upgrade from 3.3.5.
It can be pushed if there is no problem on Python side of things.
--
Petr^2 Spacek
More information about the Freeipa-devel
mailing list