On 01/09/2014 03:20 PM, Simo Sorce wrote:
On Thu, 2014-01-09 at 15:14 +0100, Petr Viktorin wrote:
On 01/09/2014 03:07 PM, Simo Sorce wrote:
On Thu, 2014-01-09 at 13:15 +0100, Petr Viktorin wrote:
When I'm done with [#4074], the "type" permissions will use a target
ipa permission-add \
'Modify Account Expiration' \
should result in this ACI at cn=users,...:
(targetattr = "krbPrincipalExpiration")
(targetfilter = "(objectclass=ipauser)")
acl "permission:Modify Account Expiration";
allow (write) groupdn = "ldap:///cn=Modify Account
The probjem is matching the "user" type with the "ipauser" objectclass.
I've looked, but I don't think we have such "canonical objectclasses"
defined anywhere in the code. There is object_class and
possible_objectclasses for each object type in the plugins, but these
aren't adequate: user has "posixaccount"; some have multiple
objectclasses listed (even `top` in one case). (Of course it's not a
problem to add multiple classes to the filter, it just seems superfluous.)
I'd like to add a new attribute to LDAPObject that lists the
objectclass(es) for permission filters. This would also mean the list of
allowed `type`s for permissions can be pulled from the plugins, rather
than being hardcoded in the aci/permission plugin.
Sounds reasonable, I trust the objetclass can be manually changed anyway
if an admin needs to do so ?
Yes, `type` is just a convenience shortcut to set the location + filter,
which can be manipulated individually.
Removing the objectclass filter would make the permission no longer show
up as that `type`.
Ah I forgot to mention this, sorry:
For the default permissions (the ones that come with IPA), the admin
won't be able to change the target at all. But any custom ones can be
The question I think was more nuanced. Will we allow the creation of
custom permissions for UI/CLI ? In that case will the admin be able to
just provide a custom objectclass name ? I guess the answer is yes, but
Freeipa-devel mailing list