[Freeipa-devel] [PATCH] 0544 Remove the global anonymous read ACI
Martin Kosek
mkosek at redhat.com
Wed May 21 06:08:14 UTC 2014
On 05/19/2014 03:27 PM, Petr Viktorin wrote:
> On 05/16/2014 02:00 PM, Martin Kosek wrote:
>> On 04/29/2014 11:02 PM, Petr Viktorin wrote:
>>> I didn't test this as much as I'd like to, but it might come in handy when
>>> testing my earlier patches.
>>>
>>> The ACI is removed in the managed permissions plugin because I want to make
>>> sure it's done after all the managed permission updates, which query it.
>>
>> It worked in my case (I tested upgrade from 3.3.5). What do we do about other
>> permissions we will want to remove? I am talking about following ACIs:
>>
>> - no anonymous access to roles
>> - no anonymous access to sudo
>> - no anonymous access to hbac
>> - no anonymous access to member information
>>
>> I would like to remove them in 544 as well as otherwise they would bias the
>> testing.
>
> Right. Here is the updated patch.
I tested upgrade from 3.3.5 to 4.0 and in SUFFIX I still had some of the ACIs left:
(targetattr = "*")(target =
"ldap:///cn=*,cn=roles,cn=accounts,dc=mkosek-fedora20,dc=test")(version 3.0;
acl "No anonymous access to roles"; deny (read,search,compare) userdn !=
"ldap:///all";)
(targetattr = "*")(target =
"ldap:///cn=*,ou=SUDOers,dc=mkosek-fedora20,dc=test")(version 3.0; acl "No
anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)
The problem is that you used your testing suffix instead of suffix variable.
Martin
More information about the Freeipa-devel
mailing list