[Freeipa-devel] [PATCH] 0544 Remove the global anonymous read ACI
Martin Kosek
mkosek at redhat.com
Fri May 23 12:26:21 UTC 2014
On 05/22/2014 04:03 PM, Petr Viktorin wrote:
> On 05/21/2014 08:08 AM, Martin Kosek wrote:
>> On 05/19/2014 03:27 PM, Petr Viktorin wrote:
>>> On 05/16/2014 02:00 PM, Martin Kosek wrote:
>>>> On 04/29/2014 11:02 PM, Petr Viktorin wrote:
>>>>> I didn't test this as much as I'd like to, but it might come in handy when
>>>>> testing my earlier patches.
>>>>>
>>>>> The ACI is removed in the managed permissions plugin because I want to make
>>>>> sure it's done after all the managed permission updates, which query it.
>>>>
>>>> It worked in my case (I tested upgrade from 3.3.5). What do we do about other
>>>> permissions we will want to remove? I am talking about following ACIs:
>>>>
>>>> - no anonymous access to roles
>>>> - no anonymous access to sudo
>>>> - no anonymous access to hbac
>>>> - no anonymous access to member information
>>>>
>>>> I would like to remove them in 544 as well as otherwise they would bias the
>>>> testing.
>>>
>>> Right. Here is the updated patch.
>>
>> I tested upgrade from 3.3.5 to 4.0 and in SUFFIX I still had some of the ACIs
>> left:
>>
>> (targetattr = "*")(target =
>> "ldap:///cn=*,cn=roles,cn=accounts,dc=mkosek-fedora20,dc=test")(version 3.0;
>> acl "No anonymous access to roles"; deny (read,search,compare) userdn !=
>> "ldap:///all";)
>>
>> (targetattr = "*")(target =
>> "ldap:///cn=*,ou=SUDOers,dc=mkosek-fedora20,dc=test")(version 3.0; acl "No
>> anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)
>>
>> The problem is that you used your testing suffix instead of suffix variable.
>
> Shame on me. I've updated & rebased the patch.
>
> I've also made a git hook yell at me when I commit something containing "BRQ",
> hopefully this won't happen again.
Would it make sense to publish your FreeIPA git hooks somewhere on
http://www.freeipa.org/page/Contribute/Code or your github and link it? I think
it already contains couple gems that may help other people prevent basic errors
like this one.
Otherwise, the patch worked fine - ACK!
I would like it to be pushed as soon as user ACI patch is pushed so that we
have some time to find issues.
Martin
More information about the Freeipa-devel
mailing list