URL: https://github.com/freeipa/freeipa/pull/5023
Author: marcus2376
Title: #5023: Issue 8456 - Add new aci's for the new replication changelog
entries
Action: opened
PR body:
"""
Description:
We need a read and a write aci for the new changelog location, which was moved
from cn=changelog5,cn=config to cn=changelog,cn=BACKEND,cn=ldbm
database,cn=plguins,cn=config
The read aci allows the replica hostgroup entry to find and read the changelog
configuration, and the write allows the replica to update the changelog with a
proper trimming settings.
Fixes: https://pagure.io/freeipa/issue/8456
Signed-off-by: Mark Reynolds <mreyno...@redhat.com>
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5023/head:pr5023
git checkout pr5023
From 1d512ad801557de26b41c5265b70eaf3e27d7c6b Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreyno...@redhat.com>
Date: Mon, 10 Aug 2020 10:54:47 -0400
Subject: [PATCH] Issue 8456 - Add new aci's for the new replication changelog
entries
Description: We need a read and a write aci for the new changelog location,
which was moved from cn=changelog5,cn=config to
cn=changelog,cn=BACKEND,cn=ldbm database,cn=plguins,cn=config
The read aci allows the replica hostgroup entry to find and
read the changelog confguration, and the write allows the replica
to update the changelog with a proper trimming settings.
Fixes: https://pagure.io/freeipa/issue/8456
Signed-off-by: Mark Reynolds <mreyno...@redhat.com>
---
install/updates/40-delegation.update | 2 ++
1 file changed, 2 insertions(+)
diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update
index daa75a2fc9..cf60480cf0 100644
--- a/install/updates/40-delegation.update
+++ b/install/updates/40-delegation.update
@@ -211,6 +211,8 @@ default:ipapermissiontype: SYSTEM
dn: cn=config
add:aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || objectclass || passsyncmanagersdns*")(target = "ldap:///cn=ipa_pwd_extop,cn=plugins,cn=config";)(version 3.0;acl "permission:Read PassSync Managers Configuration";allow (compare,read,search) groupdn = "ldap:///cn=Read PassSync Managers Configuration,cn=permissions,cn=pbac,$SUFFIX";)
+add:aci: (targetattr = "cn || objectclass || nsslapd-changelogmaxentries || nsslapd-changelogmaxage || nsslapd-changelogtrim-interval || nsslapd-encryptionalgorithm || nsSymmetricKey")(targetfilter = "cn=changelog")(target = "ldap:///cn=ldbm database,cn=plugins,cn=config")(version 3.0; acl "Replication Admin read access to replication changelog"; allow (read,search) groupdn = "ldap:///cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX";)
+add:aci: (targetattr = "nsslapd-changelogmaxentries || nsslapd-changelogmaxage || nsslapd-changelogtrim-interval || nsslapd-encryptionalgorithm || nsSymmetricKey")(targetfilter = "cn=changelog")(target = "ldap:///cn=ldbm database,cn=plugins,cn=config")(version 3.0; acl "Replication Admin write access to replication changelog"; allow (write) groupdn = "ldap:///cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX";)
dn: cn=Modify PassSync Managers Configuration,cn=permissions,cn=pbac,$SUFFIX
default:objectClass: groupofnames
_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
