[Freeipa-devel] [PATCH] 0015-16 Allow multiple krbprincipalnames + test

Rob Crittenden rcritten at redhat.com
Thu Sep 18 18:57:45 UTC 2014 

Martin Kosek wrote:
> On 09/18/2014 04:06 PM, David Kupka wrote:
>> On 09/18/2014 03:44 PM, Rob Crittenden wrote:
>>> David Kupka wrote:
>>>> https://fedorahosted.org/freeipa/ticket/4421
>>>
>>> You are removing an ACI in this patch. It is always possible it is no
>>> longer needed. Did you test all the client enrollment scenarios?
>>>
>>> rob
>>>
>>
>> As far as I'm aware I'm not removing any ACI. I'm modifying ACI so it is
>> possible to add krbPrincipalName to host even when there is already one (or
>> more). And adding one ACI to allow writing krbCanonicalName to host.
>> But I'm still not really familiar with ACI so please correct me if I'm wrong.
>>
> 
> What refers to is probably the update in ACI.txt - the ACI alternative to
> API.txt. David updated an ACI, not removed it.
> 
> On that note, what is the reason for this permission change:
> 
> -            'ipapermtargetfilter': [
> -                '(objectclass=ipahost)',
> -                '(!(krbprincipalname=*))',
> -            ],
> 
> ?

Yes, this is exactly the change I was referring to. Permission changes
within a plugin now translate automatically to ACI changes. Sorry I
wasn't clearer.

This ACI gets replaced with a much simpler one and I'm not 100% sure it
will work with all enrollments:

-aci: (targetattr = "krbprincipalname")(targetfilter =
"(&(!(krbprincipalname=*))(objectclass=ipahost))")(version 3.0;acl
"permission:System: Add krbPrincipalName to a Host";allow (write)
groupdn = "ldap:///cn=System: Add krbPrincipalName to a
Host,cn=permissions,cn=pbac,dc=ipa,dc=example";)

+aci: (targetattr = "krbprincipalname")(targetfilter =
"(objectclass=ipahost)")(version 3.0;acl "permission:System: Add
krbPrincipalName to a Host";allow (write) groupdn = "ldap:///cn=System:
Add krbPrincipalName to a Host,cn=permissions,cn=pbac,dc=ipa,dc=example";)

The first one restricts writing the attribute only if it isn't already
set. The second lets it be changed unconditionally.

rob

More information about the Freeipa-devel mailing list