[Freeipa-devel] [PATCHES] 0552-0554 Upgrading write permissions
Ludwig Krispenz
lkrispen at redhat.com
Wed May 28 15:03:44 UTC 2014
On 05/28/2014 04:56 PM, Martin Kosek wrote:
> On 05/28/2014 04:50 PM, Simo Sorce wrote:
>> On Wed, 2014-05-28 at 16:27 +0200, Petr Viktorin wrote:
>>> Simo, I hazily remember discussing that we should only allow specific
>>> attributes on add, otherwise users can add entries with any extra
>>> objectclasses and attributes. Did we come to a conclusion?
>>> I might have confused targetattr with targetattrfilter in my notes;
>>> since I see targetarr is ineffective.
>>>
>> Yes we need to restrict at least the allowed objectclasses I think.
>>
>> Simo.
>>
> We do not have a support for targetattrfilter, I do not think this was ever
> tested. This part of ACI is also not very well documented, I think Petr found
> just one notice in the DS documentation about targetattrfilter.
It is in chapter 13.2.3.5 in
https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Access_Control-Creating_ACIs_Manually.html#Creating_ACIs_Manually-Defining_Targets
and it is for unknown reasons: targattrfilters
>
> For 4.0, I would keep the add ACIs as they area (we do not have time for
> additional experiments anyway). If we feel the urge later, given the
> permissions are managed, it should be easy to change that.
>
> Martin
More information about the Freeipa-devel
mailing list