Martin Kosek wrote:
On Tue, 2011-02-22 at 09:22 -0500, Rob Crittenden wrote:
Martin Kosek wrote:
On Tue, 2011-02-22 at 13:14 +0100, Jan Zelený wrote:
Rob Crittenden<>   wrote:
Jakub Hrozek wrote:
On Mon, Feb 21, 2011 at 10:11:38AM -0500, Rob Crittenden wrote:
Rob Crittenden wrote:
Jakub Hrozek wrote:
Hash: SHA1

On 02/17/2011 04:35 AM, Rob Crittenden wrote:
Add default roles and permissions for HBAC, SUDO and pw policy

Created some default roles as examples. In doing so I realized that
we were completely missing default rules for HBAC, SUDO and password
policy so I added those as well.

I ran into a problem when the updater has a default record and an add
at the same time, it should handle it better now.

ticket 585


I'm not sure about the HBAC rules ACIs. They are specified as:

'target = "ldap:///cn=*,cn=hbac,$SUFFIX";'

while HBAC rules' DN is:


But HBAC rules do have a cn: attribute, so maybe the ACIs would work?

No, you're right, this is wrong. I'll fix it up and resubmit.

The patch also needs rebasing on top of recent changes to

Other than that, looks OK to me.

btw when I was reviewing this patch, I noticed we add a "DNS
Administrators" privilege in dns.ldif. Would it make sense to add DNS
administration to "Security Architect" (replication management) and
"IT Specialist" (hosts management)?

The DNS stuff is added only if DNS is enabled on the server so I can't
add them by default.


Updated patch.


Interdiff looks fine, but I'm not able to apply the patch (not even
3-way merge), can you rebase?


The patch now applies ok (just one whitespace warning), ack


Freeipa-devel mailing list

I have to NACK this. I have found some issues in the new LDAP records:

1) A wrong groupdn for the following ACI in 40-delegation.update:
add:aci: '(target = "ldap:///cn=*,cn=sudorules,cn=sudo,$SUFFIX";)(version
3.0;acl "permission:Add SUDO rule";allow (add) groupdn = "ldap:///cn=Add

It should be dap:///cn=Add SUDO rule,cn=permissions,cn=pbac,$SUFFIX

2) Another wrong target for few ACIs:
is used instead of

3) Missing Description for the following new privileges:
Write IPA Configuration
Modify Users and Reset passwords
Modify Group membership

Remainder looks good.


Thanks for the careful review. Updated patch attached.


Good job! Its OK now. ACK


pushed to master

Freeipa-devel mailing list

Reply via email to