[Freeipa-devel] [PATCH] 0015-16 Allow multiple krbprincipalnames + test
Simo Sorce
simo at redhat.com
Thu Sep 18 19:11:55 UTC 2014
On Thu, 18 Sep 2014 14:57:45 -0400
Rob Crittenden <rcritten at redhat.com> wrote:
> Martin Kosek wrote:
> > On 09/18/2014 04:06 PM, David Kupka wrote:
> >> On 09/18/2014 03:44 PM, Rob Crittenden wrote:
> >>> David Kupka wrote:
> >>>> https://fedorahosted.org/freeipa/ticket/4421
> >>>
> >>> You are removing an ACI in this patch. It is always possible it
> >>> is no longer needed. Did you test all the client enrollment
> >>> scenarios?
> >>>
> >>> rob
> >>>
> >>
> >> As far as I'm aware I'm not removing any ACI. I'm modifying ACI so
> >> it is possible to add krbPrincipalName to host even when there is
> >> already one (or more). And adding one ACI to allow writing
> >> krbCanonicalName to host. But I'm still not really familiar with
> >> ACI so please correct me if I'm wrong.
> >>
> >
> > What refers to is probably the update in ACI.txt - the ACI
> > alternative to API.txt. David updated an ACI, not removed it.
> >
> > On that note, what is the reason for this permission change:
> >
> > - 'ipapermtargetfilter': [
> > - '(objectclass=ipahost)',
> > - '(!(krbprincipalname=*))',
> > - ],
> >
> > ?
>
> Yes, this is exactly the change I was referring to. Permission changes
> within a plugin now translate automatically to ACI changes. Sorry I
> wasn't clearer.
>
> This ACI gets replaced with a much simpler one and I'm not 100% sure
> it will work with all enrollments:
>
> -aci: (targetattr = "krbprincipalname")(targetfilter =
> "(&(!(krbprincipalname=*))(objectclass=ipahost))")(version 3.0;acl
> "permission:System: Add krbPrincipalName to a Host";allow (write)
> groupdn = "ldap:///cn=System: Add krbPrincipalName to a
> Host,cn=permissions,cn=pbac,dc=ipa,dc=example";)
>
> +aci: (targetattr = "krbprincipalname")(targetfilter =
> "(objectclass=ipahost)")(version 3.0;acl "permission:System: Add
> krbPrincipalName to a Host";allow (write) groupdn =
> "ldap:///cn=System: Add krbPrincipalName to a
> Host,cn=permissions,cn=pbac,dc=ipa,dc=example";)
>
> The first one restricts writing the attribute only if it isn't already
> set. The second lets it be changed unconditionally.
Yeah this is wrong indeed, the point of the ACI is to allow setting the
principal only when it is not already set, which is the OTP enrollment
case. But if krbprincipal is set then this specific permission should
not grant rights to change it.
At least this was my understanding.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list