Rob Crittenden wrote:
Jakub Hrozek wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/17/2011 04:35 AM, Rob Crittenden wrote:
Add default roles and permissions for HBAC, SUDO and pw policy

Created some default roles as examples. In doing so I realized that we
were completely missing default rules for HBAC, SUDO and password policy
so I added those as well.

I ran into a problem when the updater has a default record and an add at
the same time, it should handle it better now.

ticket 585

rob


I'm not sure about the HBAC rules ACIs. They are specified as:

'target = "ldap:///cn=*,cn=hbac,$SUFFIX";'

while HBAC rules' DN is:

'ipauniqueid=*,cn=hbac,$SUFFIX'.

But HBAC rules do have a cn: attribute, so maybe the ACIs would work?

No, you're right, this is wrong. I'll fix it up and resubmit.


The patch also needs rebasing on top of recent changes to
install/updates/Makefile.am

Other than that, looks OK to me.

btw when I was reviewing this patch, I noticed we add a "DNS
Administrators" privilege in dns.ldif. Would it make sense to add DNS
administration to "Security Architect" (replication management) and "IT
Specialist" (hosts management)?

The DNS stuff is added only if DNS is enabled on the server so I can't
add them by default.

rob

Updated patch.

rob

Attachment: freeipa-rcrit-728-2-roles.patch
Description: application/mbox

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to