[Freeipa-devel] [PATCH] 0544 Remove the global anonymous read ACI

[Petr Viktorin]

On 05/21/2014 08:08 AM, Martin Kosek wrote:
> On 05/19/2014 03:27 PM, Petr Viktorin wrote:
>> On 05/16/2014 02:00 PM, Martin Kosek wrote:
>>> On 04/29/2014 11:02 PM, Petr Viktorin wrote:
>>>> I didn't test this as much as I'd like to, but it might come in handy when
>>>> testing my earlier patches.
>>>>
>>>> The ACI is removed in the managed permissions plugin because I want to make
>>>> sure it's done after all the managed permission updates, which query it.
>>>
>>> It worked in my case (I tested upgrade from 3.3.5). What do we do about other
>>> permissions we will want to remove? I am talking about following ACIs:
>>>
>>> - no anonymous access to roles
>>> - no anonymous access to sudo
>>> - no anonymous access to hbac
>>> - no anonymous access to member information
>>>
>>> I would like to remove them in 544 as well as otherwise they would bias the
>>> testing.
>>
>> Right. Here is the updated patch.
>
> I tested upgrade from 3.3.5 to 4.0 and in SUFFIX I still had some of the ACIs left:
>
> (targetattr = "*")(target =
> "ldap:///cn=*,cn=roles,cn=accounts,dc=mkosek-fedora20,dc=test")(version 3.0;
> acl "No anonymous access to roles"; deny (read,search,compare) userdn !=
> "ldap:///all";)
>
> (targetattr = "*")(target =
> "ldap:///cn=*,ou=SUDOers,dc=mkosek-fedora20,dc=test")(version 3.0; acl "No
> anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)
>
> The problem is that you used your testing suffix instead of suffix variable.

Shame on me. I've updated & rebased the patch.

I've also made a git hook yell at me when I commit something containing 
"BRQ", hopefully this won't happen again.

-- 
Petr³

-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0544.3-Remove-the-global-anonymous-read-ACI.patch
Type: text/x-patch
Size: 12789 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140522/a8b1d02b/attachment.bin>