On Thu, 2014-01-09 at 13:15 +0100, Petr Viktorin wrote: > Hello, > When I'm done with [#4074], the "type" permissions will use a target > filter, e.g.: > > ipa permission-add \ > 'Modify Account Expiration' \ > --attr=krbPrincipalExpiration \ > --type=user --perm=write > > should result in this ACI at cn=users,...: > > (targetattr = "krbPrincipalExpiration") > (targetfilter = "(objectclass=ipauser)") > (version 3.0; > acl "permission:Modify Account Expiration"; > allow (write) groupdn = "ldap:///cn=Modify Account > Expiration,cn=permissions,cn=pbac,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) > > The probjem is matching the "user" type with the "ipauser" objectclass. > I've looked, but I don't think we have such "canonical objectclasses" > defined anywhere in the code. There is object_class and > possible_objectclasses for each object type in the plugins, but these > aren't adequate: user has "posixaccount"; some have multiple > objectclasses listed (even `top` in one case). (Of course it's not a > problem to add multiple classes to the filter, it just seems superfluous.) > I'd like to add a new attribute to LDAPObject that lists the > objectclass(es) for permission filters. This would also mean the list of > allowed `type`s for permissions can be pulled from the plugins, rather > than being hardcoded in the aci/permission plugin.
Sounds reasonable, I trust the objetclass can be manually changed anyway if an admin needs to do so ? Simo. > Here's a list of proposed classes, and the existing lists for reference: > > > user: > proposed for filter: ipauser > object_class: posixaccount > possible_objectclasses: meporiginentry, ipauserauthtypeclass, > ipauser, ipatokenradiusproxyuser > > group: > proposed for filter: ipausergroup > object_class: ipausergroup > possible_objectclasses: posixGroup, mepManagedEntry, ipaExternalGroup > > host: > proposed for filter: ipahost > object_class: ipaobject, nshost, ipahost, pkiuser, ipaservice > possible_objectclasses: (none) > > service: > proposed for filter: ipaservice > object_class: krbprincipal, krbprincipalaux, krbticketpolicyaux, > ipaobject, ipaservice, pkiuser > possible_objectclasses: ipakrbprincipal > > hostgroup: > proposed for filter: ipahostgroup > object_class: ipaobject, ipahostgroup > possible_objectclasses: (none) > > netgroup: > proposed for filter: ipanisnetgroup > object_class: ipaobject, ipaassociation, ipanisnetgroup > possible_objectclasses: (none) > > dnsrecord: > proposed for filter: idnsrecord > object_class: top, idnsrecord > possible_objectclasses: (none) > > > [#4074]: https://fedorahosted.org/freeipa/ticket/4074 > -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
