[Freeipa-devel] [PATCHES] 0552-0554 Upgrading write permissions
Martin Kosek
mkosek at redhat.com
Wed May 28 15:08:52 UTC 2014
On 05/28/2014 05:03 PM, Ludwig Krispenz wrote:
>
> On 05/28/2014 04:56 PM, Martin Kosek wrote:
>> On 05/28/2014 04:50 PM, Simo Sorce wrote:
>>> On Wed, 2014-05-28 at 16:27 +0200, Petr Viktorin wrote:
>>>> Simo, I hazily remember discussing that we should only allow specific
>>>> attributes on add, otherwise users can add entries with any extra
>>>> objectclasses and attributes. Did we come to a conclusion?
>>>> I might have confused targetattr with targetattrfilter in my notes;
>>>> since I see targetarr is ineffective.
>>>>
>>> Yes we need to restrict at least the allowed objectclasses I think.
>>>
>>> Simo.
>>>
>> We do not have a support for targetattrfilter, I do not think this was ever
>> tested. This part of ACI is also not very well documented, I think Petr found
>> just one notice in the DS documentation about targetattrfilter.
> It is in chapter 13.2.3.5 in
> https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Access_Control-Creating_ACIs_Manually.html#Creating_ACIs_Manually-Defining_Targets
>
> and it is for unknown reasons: targattrfilters
Right, this is what I (and Petr) was talking about. The doc contain just this
single one line of information about targetattrfilters. Try googling that and
you won't get much more.
Just for completeness, posting one of the top findings:
Bug 1032767 - Examples of the targetattrfilters ACI keyword need to be documented
Martin
More information about the Freeipa-devel
mailing list