On 05/23/2014 02:26 PM, Martin Kosek wrote:
On 05/22/2014 04:03 PM, Petr Viktorin wrote:
On 05/21/2014 08:08 AM, Martin Kosek wrote:
On 05/19/2014 03:27 PM, Petr Viktorin wrote:
On 05/16/2014 02:00 PM, Martin Kosek wrote:
On 04/29/2014 11:02 PM, Petr Viktorin wrote:
I didn't test this as much as I'd like to, but it might come in handy when
testing my earlier patches.

The ACI is removed in the managed permissions plugin because I want to make
sure it's done after all the managed permission updates, which query it.

It worked in my case (I tested upgrade from 3.3.5). What do we do about other
permissions we will want to remove? I am talking about following ACIs:

- no anonymous access to roles
- no anonymous access to sudo
- no anonymous access to hbac
- no anonymous access to member information

I would like to remove them in 544 as well as otherwise they would bias the

Right. Here is the updated patch.

I tested upgrade from 3.3.5 to 4.0 and in SUFFIX I still had some of the ACIs

(targetattr = "*")(target =
"ldap:///cn=*,cn=roles,cn=accounts,dc=mkosek-fedora20,dc=test";)(version 3.0;
acl "No anonymous access to roles"; deny (read,search,compare) userdn !=

(targetattr = "*")(target =
"ldap:///cn=*,ou=SUDOers,dc=mkosek-fedora20,dc=test";)(version 3.0; acl "No
anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";;)

The problem is that you used your testing suffix instead of suffix variable.

Shame on me. I've updated & rebased the patch.

I've also made a git hook yell at me when I commit something containing "BRQ",
hopefully this won't happen again.

Would it make sense to publish your FreeIPA git hooks somewhere on
http://www.freeipa.org/page/Contribute/Code or your github and link it? I think
it already contains couple gems that may help other people prevent basic errors
like this one.

Sure, I'll document it a bit and publish.

Otherwise, the patch worked fine - ACK!

I would like it to be pushed as soon as user ACI patch is pushed so that we
have some time to find issues.

Pushed to master: 193ced0bd7a9a26e7b25f08b023ee21302acaac7


Freeipa-devel mailing list

Reply via email to