[Freeipa-devel] [PATCH] Password vault
Jan Cholasta
jcholast at redhat.com
Wed Jul 8 06:30:49 UTC 2015
Dne 7.7.2015 v 16:42 Endi Sukma Dewata napsal(a):
> ----- Original Message -----
>> On 07/07/2015 10:51 AM, Jan Cholasta wrote:
>>> Dne 3.7.2015 v 15:44 Endi Sukma Dewata napsal(a):
>>>> Here is the rebased patch for vault access control.
>>>>
>>>
>>> LGTM, except:
>>>
>>> @@ -356,6 +386,13 @@ class vault(LDAPObject):
>>> {
>>> 'objectclass': ['nsContainer'],
>>> 'cn': rdn['cn'],
>>> + 'aci':
>>> + '(targetfilter="(objectClass=ipaVault)")' +
>>> + '(version 3.0; ' +
>>> + 'acl "User can manage private vaults"; ' +
>>> + 'allow(read, search, compare, add, delete) ' +
>>> + 'userdn="ldap:///%s";)'
>>> + % owner_dn
>>> })
>>>
>>> # if entry can be added, return
>>>
>>> I don't think dynamically creating ACIs with hardcoded userdn is something
>>> we
>>> want to do. This should be handled by a single ACI in cn=vaults.
>>
>> +1. Single ACI like
>>
>> +default: aci: (targetfilter="(objectClass=ipaVault)")(version 3.0; acl
>> "Vault
>> owners can manage the vault"; allow(read, search, compare, write)
>> userattr="owner#USERDN";)
>>
>> you already have there is more preferred.
>
> New patch attached. For this to work the container itself needs an 'owner' attribute, so I changed the nsContainer into ipaVaultContainer.
I don't think that's really necessary on the top-level containers.
Anyway, the patch works, so ACK.
Pushed to master: bf6df3df9b388753a52a0040d9c15b1eabce41ca
--
Jan Cholasta
More information about the Freeipa-devel
mailing list