Read access is given as a new privilege, 'Password Policy Readers', and
also to the existing privilege 'Password Policy Administrator'.
--
PetrĀ³
From c61532cd5bbce02f073a94fdceff8169c4d4b52d Mon Sep 17 00:00:00 2001
From: Petr Viktorin <[email protected]>
Date: Wed, 26 Mar 2014 17:11:23 +0100
Subject: [PATCH] Add managed read permissions to pwpolicy and cosentry
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
---
install/updates/40-delegation.update | 7 +++++++
ipalib/plugins/pwpolicy.py | 34 ++++++++++++++++++++++++++++++++++
2 files changed, 41 insertions(+)
diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update
index e90819a5117afae5f65a24cb7b099f7e160dfa17..27e605789ba152ac61796217ca12a603958931c1 100644
--- a/install/updates/40-delegation.update
+++ b/install/updates/40-delegation.update
@@ -401,3 +401,10 @@ dn: cn=RBAC Readers,cn=privileges,cn=pbac,$SUFFIX
default:objectClass: top
default:cn: RBAC Readers
default:description: Read roles, privileges, permissions and ACIs
+
+dn: cn=Password Policy Readers,cn=privileges,cn=pbac,$SUFFIX
+default:objectClass: nestedgroup
+default:objectClass: groupofnames
+default:objectClass: top
+default:cn: Password Policy Readers
+default:description: Read password policies
diff --git a/ipalib/plugins/pwpolicy.py b/ipalib/plugins/pwpolicy.py
index 46e839a70edf9d2bd3b8baba66ced7e9ce1b8e19..1d546ea75be61f9bf5b0ab2f571b7d98c9cc2ac1 100644
--- a/ipalib/plugins/pwpolicy.py
+++ b/ipalib/plugins/pwpolicy.py
@@ -78,7 +78,22 @@ class cosentry(LDAPObject):
container_dn = DN(('cn', 'costemplates'), api.env.container_accounts)
object_class = ['top', 'costemplate', 'extensibleobject', 'krbcontainer']
+ permission_filter_objectclasses = ['costemplate']
default_attributes = ['cn', 'cospriority', 'krbpwdpolicyreference']
+ managed_permissions = {
+ 'System: Read Group Password Policy costemplate': {
+ 'replaces_global_anonymous_aci': True,
+ 'ipapermbindruletype': 'permission',
+ 'ipapermright': {'read', 'search', 'compare'},
+ 'ipapermdefaultattr': {
+ 'cn', 'cospriority', 'krbpwdpolicyreference', 'objectclass',
+ },
+ 'default_privileges': {
+ 'Password Policy Readers',
+ 'Password Policy Administrator',
+ },
+ },
+ }
takes_params = (
Str('cn', primary_key=True),
@@ -180,12 +195,31 @@ class pwpolicy(LDAPObject):
object_name = _('password policy')
object_name_plural = _('password policies')
object_class = ['top', 'nscontainer', 'krbpwdpolicy']
+ permission_filter_objectclasses = ['krbpwdpolicy']
default_attributes = [
'cn', 'cospriority', 'krbmaxpwdlife', 'krbminpwdlife',
'krbpwdhistorylength', 'krbpwdmindiffchars', 'krbpwdminlength',
'krbpwdmaxfailure', 'krbpwdfailurecountinterval',
'krbpwdlockoutduration',
]
+ managed_permissions = {
+ 'System: Read Group Password Policy': {
+ 'replaces_global_anonymous_aci': True,
+ 'ipapermbindruletype': 'permission',
+ 'ipapermright': {'read', 'search', 'compare'},
+ 'ipapermdefaultattr': {
+ 'cn', 'cospriority', 'krbmaxpwdlife', 'krbminpwdlife',
+ 'krbpwdfailurecountinterval', 'krbpwdhistorylength',
+ 'krbpwdlockoutduration', 'krbpwdmaxfailure',
+ 'krbpwdmindiffchars', 'krbpwdminlength', 'objectclass',
+ },
+ 'default_privileges': {
+ 'Password Policy Readers',
+ 'Password Policy Administrator',
+ },
+ },
+ }
+
MIN_KRB5KDC_WITH_LOCKOUT = "1.8"
has_lockout = False
lockout_params = ()
--
1.9.0
_______________________________________________
Freeipa-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-devel
