Rob Crittenden wrote:
Jakub Hrozek wrote:
Hash: SHA1

On 02/17/2011 04:35 AM, Rob Crittenden wrote:
Add default roles and permissions for HBAC, SUDO and pw policy

Created some default roles as examples. In doing so I realized that we
were completely missing default rules for HBAC, SUDO and password policy
so I added those as well.

I ran into a problem when the updater has a default record and an add at
the same time, it should handle it better now.

ticket 585


I'm not sure about the HBAC rules ACIs. They are specified as:

'target = "ldap:///cn=*,cn=hbac,$SUFFIX";'

while HBAC rules' DN is:


But HBAC rules do have a cn: attribute, so maybe the ACIs would work?

No, you're right, this is wrong. I'll fix it up and resubmit.

The patch also needs rebasing on top of recent changes to

Other than that, looks OK to me.

btw when I was reviewing this patch, I noticed we add a "DNS
Administrators" privilege in dns.ldif. Would it make sense to add DNS
administration to "Security Architect" (replication management) and "IT
Specialist" (hosts management)?

The DNS stuff is added only if DNS is enabled on the server so I can't
add them by default.


Updated patch.


Attachment: freeipa-rcrit-728-2-roles.patch
Description: application/mbox

Freeipa-devel mailing list

Reply via email to