On 04/15/2014 09:53 AM, Martin Kosek wrote:
On 04/14/2014 10:00 PM, Petr Viktorin wrote:
Read access is given to all authenticated users.


This only works when I added  cn and objectclass attributes to the ACI. Is this
expected?

It would work when we add nsContainer ACI for cn=etc though as it has the
nsContainer objectlass.

You're right, cn and objectclass should be granted explicitly. My mistake.
Fixed patch attached.


--
PetrĀ³
From 94e2401bde270c1671a10e18389e1c5b5a99ff7b Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pvikt...@redhat.com>
Date: Wed, 26 Mar 2014 14:56:30 +0100
Subject: [PATCH] Add managed read permission to config

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
---
 ipalib/plugins/config.py | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/ipalib/plugins/config.py b/ipalib/plugins/config.py
index 05369be4e93052f18c6cefa03621d651f470749b..4ac411c74c75ab7408c5c876f1efaec8788a5618 100644
--- a/ipalib/plugins/config.py
+++ b/ipalib/plugins/config.py
@@ -94,6 +94,28 @@ class config(LDAPObject):
         'ipaselinuxusermapdefault', 'ipaconfigstring', 'ipakrbauthzdata',
         'ipauserauthtype'
     ]
+    container_dn = DN(('cn', 'ipaconfig'), ('cn', 'etc'))
+    permission_filter_objectclasses = ['ipaguiconfig']
+    managed_permissions = {
+        'System: Read Global Configuration': {
+            'replaces_global_anonymous_aci': True,
+            'ipapermbindruletype': 'all',
+            'ipapermright': {'read', 'search', 'compare'},
+            'ipapermdefaultattr': {
+                'cn', 'objectclass',
+                'ipacertificatesubjectbase', 'ipaconfigstring',
+                'ipadefaultemaildomain', 'ipadefaultloginshell',
+                'ipadefaultprimarygroup', 'ipagroupobjectclasses',
+                'ipagroupsearchfields', 'ipahomesrootdir',
+                'ipakrbauthzdata', 'ipamaxusernamelength',
+                'ipamigrationenabled', 'ipapwdexpadvnotify',
+                'ipaselinuxusermapdefault', 'ipaselinuxusermaporder',
+                'ipasearchrecordslimit', 'ipasearchtimelimit',
+                'ipauserauthtype', 'ipauserobjectclasses',
+                'ipausersearchfields', 'ipacustomfields',
+            },
+        },
+    }
 
     label = _('Configuration')
     label_singular = _('Configuration')
-- 
1.9.0

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to