On 05/28/2014 04:36 PM, Petr Viktorin wrote:
On 05/28/2014 04:27 PM, Petr Viktorin wrote:
On 05/27/2014 04:20 PM, Martin Kosek wrote:
On 05/26/2014 04:44 PM, Petr Viktorin wrote:
On 05/22/2014 03:07 PM, Petr Viktorin wrote:
Hello,
Here I start upgrading the existing default permissions to the new
Managed style.
https://fedorahosted.org/freeipa/ticket/4346
The patches rely on my patch 0551
(https://fedorahosted.org/freeipa/ticket/4349)
You may run into what seems to be a 389 bug. If you get a "Midair
Collision" (NO_SUCH_ATTRIBUTE) error, restart the DS and try running
ipa-ldap-updater again. I'm working with Ludwig on this one.
The operation is now described at
http://www.freeipa.org/page/V4/Managed_Read_permissions#Replacing_legacy_default_permissions
If there user has modified an old default permission, a warning is
logged the replacement permission is not added/updated. The user needs
to evaluate the situation: either update the old permission to match
the
original default, or remove the old permission, and then run
ipa-ldap-updater will create the new one.
Is bailing out the right thing to do if the old entry was modified?
Forcing user to remove old permission and create new one seems as a
too much
work to me. After the upgrade, we need to be sure that the managed
permissions
is there.
Note that this only happens if the user changed the permissions, so we
need to be extra careful to respect their wishes.
What is the problem of having both 2 permissions in the DS? The old
modified
permission and the new system managed one? As we are dealing with allow
permissions, having 2 of them should be harmless.
The new one could be granting too much access, the admin might have
wanted to restrict the defaults.
It could be possible to parse the permission, figure out the changes
the
user made, and apply them to the new one, but that seems like too much
guesswork to me.
Maybe we could do the same we do with managed permissions upgrades?
Only allow
differences in the list of attributes? I am thinking that people could
hotfix
missing attributes at permissions themselves (like adding description to
sudorule permission), this would lead to duplicate permissions later.
What we could do when old ACI differs only in allowed attributes is to
compare
it to defaults and set whitelist and blacklist attributes of the new
managed
permission. Then we can safely delete the old ACI (with warning).
If you think this is too much work, we can keep the old behavior and
just add
duplicate ACI.
Having duplicate permissions would be possible, after all they have a
different name. However I'd expect that most people would still want to
delete the old ones, rather than letting them hide among user-defined
permissions.
On the other hand, my approach has a downside as well: if the
'memberallowcmd' attribute was removed from 'Modify Sudo rule',
there's
now no way to upgrade while allowing access but keeping that attribute
off-limits, short of writing deny a ACI by hand. How big a problem is
this? It might be worth it to create a special tool that upgrades a
single permission and allows setting the excluded/included attributes
explicitly.
This problem would be removed with my approach proposed above.
There are some interesting scenarios to think about with respect to
upgrades and user changes:
* Upgrade to old version, e.g.
- have IPA 3.2 master, IPA 3.2 replica
- upgrade master to 4.0 (old permissions are updated)
- then upgrade replica to 3.3 (old permissions are added again!)
This is AFAIK not supported but it does happen.
We can't change old IPA versions, so any upgrade to a pre-4.0 IPA will
always add the old permissions, but with this patch, a subsequent
upgrade to 4.0+, or running a 4.0+ ipa-ldap-update, will remove the
old
permissions again.
Hm, I think this is the best option we have. We should warn about this
behavior
in our release notes though.
Tied to that is another scenario:
* Re-create permissions with old names
- have IPA 4.0 master
- Create a permission named 'Modify Sudo rule'
- Upgrade to IPA 4.1
Here we need to make sure the new permission is *not* removed,
because a
new 'Modify Sudo rule' permission is no longer special in any way. To
ensure this the updater only removes old-style permissions.
Right, we can decide based on objectclasses - whether permissionsv2 OC
is there
or not.
One thing that can happen when 4.0 masters are still mixed with 3.x is
that an old permission named 'Modify Sudo rule' is added on the old
server. Any update to 4.0+ will remove that.
Old-style default permissions were sorta-kinda managed by IPA itself
anyway, so users should expect this. We should still point it out in
the
docs though, since I expect some users to start messing with the
permissions before upgrading all of the infrastructure to 4.0.
+1, I would just point out that behavior in the release notes.
The second patch upgrades sudorule permissions, this server as an
example of how the will work.
The third patch fixes https://fedorahosted.org/freeipa/ticket/4344
The user read permissions patches had a conflict with these;
attaching rebased
version.
Now the actual review
552.2: worked fine for me. Some updates will probably be needed
though, based
on the discussion above.
553.2:
1) Why should we bother specifying ipapermdefaultattr for "add" ACIs?
Looks
like a noop to me, it was also never part of our add ACIs.
Simo, I hazily remember discussing that we should only allow specific
attributes on add, otherwise users can add entries with any extra
objectclasses and attributes. Did we come to a conclusion?
I might have confused targetattr with targetattrfilter in my notes;
since I see targetarr is ineffective.
OK, this was just me confused. As Ludwig told me,
for adding an entry you need add rights for the entry and write rights
for each attribute, so in the add aci the targetattrs are irrelevant.
so I'll remove them from the add ACI.
I tried to strip that down to just "description" and I was still able
to add a
whole new SUDO rule. Ludwig, is that correct - does DS ignore (should
it?)
targetattr part of add ACI?
2) You stated 'System: Modify Sudo rule' as "add" ACI, making it
ineffective.
Privileged user still cannot update all SUDO rule attributes.
Duh. I've been staring at this too long.
Besides that, the ACIs were working fine.
The attached version looks at the old permission in LDAP and if it
differs from the old default only in the targetattrs, it transplants the
difference to the new managed permission.
There is a lot of logging here so if something didn't work the way you
expected, at least you'll know what happened.
When there were multiple defaults, i.e. IPA added/removed some
attributes in some version: the new managed permission's attributes will
be applied, so upgrades from both very old and not-so-old versions
should "do the right thing".
If the old permission differs in something else than targetattrs, an
error is logged (this will show up in yum update output), and as before
the new managed permission is not created. The user now has 3 options to
fix this:
- Delete the old permission, then run ipa-ldap-updater to create the new
default.
- Modify the old permission on an *old* system to match the old default,
possibly with targetattr changes, then run a *new* ipa-ldap-updater to
convert that to the new default
- Modify the old permission on a *new* system, which changes it to a V2
permission, then run ipa-ldap-updater to create the new default, ending
up with both permissions.
The distinction betwen the last two is subtle and error-prone, but
1) I don't see a better way, considering that future upgrades need to
work well (in IPA 4.0+ a user-created permission named "Add Sudo Rule"
has no special status)
2) I'm hoping that people didn't modify the old default permissions that
much; if they did they should have felt some pain already -- I don't
think the update system in 3.x would handle such changes wery well
Apply my patch 0565 before trying these out.
Some testing tips:
- Create 3.x master and replica
- Upgrade master RPMs with these patches
- to add old permissions, run ipa-ldap-updater on the replica
- to simulate an upgrade, run ipa-ldap-updater on the master
- to delete a managed permission:
$ curl -v -H Content-Type:application/json -H Accept:applicaton/json
--negotiate -u : --delegation always --cacert /etc/ipa/ca.crt -X POST -H
referer:https://`hostname`/ipa/json -d '{"method": "permission_del",
"params":[["$PERMISSION_NAME"],{"force":true}], "id":0 }'
https://`hostname`/ipa/json
- be careful where you run permission-mod; on 4.0 it will convert the
permission to V2
--
PetrĀ³
From 521b6f3d3a990287ee5454d8704d30b5a5136c1d Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pvikt...@redhat.com>
Date: Wed, 14 May 2014 16:08:28 +0200
Subject: [PATCH] Add mechanism for updating permissions to managed
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346
---
.../install/plugins/update_managed_permissions.py | 139 ++++++++++++++++++++-
1 file changed, 133 insertions(+), 6 deletions(-)
diff --git a/ipaserver/install/plugins/update_managed_permissions.py b/ipaserver/install/plugins/update_managed_permissions.py
index c9994c77d390a85bfa954231dc8114aeb19709d6..13433d353cd09de77029fd76f7070bf79a432774 100644
--- a/ipaserver/install/plugins/update_managed_permissions.py
+++ b/ipaserver/install/plugins/update_managed_permissions.py
@@ -64,6 +64,9 @@
* non_object
- If true, no object-specific defaults are used (e.g. for
ipapermtargetfilter, ipapermlocation).
+* replaces
+ - A list of ACIs corresponding to legacy default permissions replaced
+ by this permission.
* fixup_function
- A callable that may modify the template in-place before it is applied.
- Called with the permission name, template dict, and keyword arguments:
@@ -80,8 +83,9 @@
from ipapython.dn import DN
from ipalib.plugable import Registry
from ipalib.plugins import aci
-from ipalib.plugins.permission import permission
+from ipalib.plugins.permission import permission, permission_del
from ipalib.aci import ACI
+from ipapython import ipautil
from ipaserver.plugins.ldap2 import ldap2
from ipaserver.install.plugins import LAST
from ipaserver.install.plugins.baseupdate import PostUpdate
@@ -228,6 +232,10 @@
}
+class IncompatibleACIModification(Exception):
+ """User has made a legacy default perm modification we can't handle"""
+
+
@register()
class update_managed_permissions(PostUpdate):
"""Update managed permissions after an update.
@@ -302,9 +310,10 @@ def update_permission(self, ldap, obj, name, template, anonymous_read_aci):
assert name.startswith('System:')
dn = self.api.Object[permission].get_dn(name)
+ permission_plugin = self.api.Object[permission]
try:
- attrs_list = list(self.api.Object[permission].default_attributes)
+ attrs_list = list(permission_plugin.default_attributes)
attrs_list.remove('memberindirect')
entry = ldap.get_entry(dn, attrs_list)
is_new = False
@@ -312,10 +321,63 @@ def update_permission(self, ldap, obj, name, template, anonymous_read_aci):
entry = ldap.make_entry(dn)
is_new = True
- self.log.debug('Updating managed permission: %s', name)
self.update_entry(obj, entry, template,
anonymous_read_aci, is_new=is_new)
+ remove_legacy = False
+ if 'replaces' in template:
+ sub_dict = {
+ 'SUFFIX': str(self.api.env.basedn),
+ }
+ legacy_acistrs = [ipautil.template_str(r, sub_dict)
+ for r in template['replaces']]
+
+ legacy_aci = ACI(legacy_acistrs[0])
+ prefix, sep, legacy_name = legacy_aci.name.partition(':')
+ assert prefix == 'permission' and sep
+
+ legacy_dn = permission_plugin.get_dn(legacy_name)
+ try:
+ legacy_entry = ldap.get_entry(legacy_dn,
+ ['ipapermissiontype', 'cn'])
+ except errors.NotFound:
+ self.log.debug("Legacy permission %s not found", legacy_name)
+ else:
+ if 'ipapermissiontype' not in legacy_entry:
+ if is_new:
+ acientry, acistr = (
+ permission_plugin._get_aci_entry_and_string(
+ legacy_entry, notfound_ok=True))
+ try:
+ included, excluded = self.get_upgrade_attr_lists(
+ acistr, legacy_acistrs)
+ except IncompatibleACIModification:
+ self.log.error(
+ "Permission '%s' has been modified from its "
+ "default; not updating it to '%s'.",
+ legacy_name, name)
+ return
+ else:
+ self.log.debug("Merging attributes from legacy "
+ "permission '%s'", legacy_name)
+ self.log.debug("Included attrs: %s",
+ ', '.join(sorted(included)))
+ self.log.debug("Excluded attrs: %s",
+ ', '.join(sorted(excluded)))
+ entry['ipapermincludedattr'] = list(included)
+ entry['ipapermexcludedattr'] = list(excluded)
+ remove_legacy = True
+ else:
+ self.log.debug("Ignoring attributes in legacy "
+ "permission '%s' because '%s' exists",
+ legacy_name, name)
+ remove_legacy = True
+ else:
+ self.log.debug("Ignoring V2 permission named '%s'" %
+ legacy_name)
+
+ update_aci = True
+ self.log.debug('Updating managed permission: %s', name)
if is_new:
ldap.add_entry(entry)
else:
@@ -323,11 +385,75 @@ def update_permission(self, ldap, obj, name, template, anonymous_read_aci):
ldap.update_entry(entry)
except errors.EmptyModlist:
self.log.debug('No changes to permission: %s', name)
- return
+ update_aci = False
- self.log.debug('Updating ACI for managed permission: %s', name)
+ if update_aci:
+ self.log.debug('Updating ACI for managed permission: %s', name)
+ permission_plugin.update_aci(entry)
- self.api.Object[permission].update_aci(entry)
+ if remove_legacy:
+ self.log.info("Removing legacy permission '%s'", legacy_name)
+ self.api.Command[permission_del](unicode(legacy_name))
+
+ def get_upgrade_attr_lists(self, current_acistring, default_acistrings):
+ """Compute included and excluded attributes for a new permission
+
+ :param current_acistring: ACI is in LDAP currently
+ :param default_acistrings:
+ List of all default ACIs IPA historically used for this permission
+ :return:
+ (ipapermincludedattr, ipapermexcludedattr) for the upgraded
+ permission
+
+ An attribute will be included if the user has it in LDAP but it does
+ not appear in *any* historic ACI.
+ It will be excluded if it is in *all* historic ACIs but not in LDAP.
+
+ If the ACIs differ in something else than the list of attributes,
+ raise IncompatibleACIModification. This means manual action is needed
+ (either delete the old permission or change it to resemble the default
+ again, then re-run ipa-ldap-updater)
+ """
+ assert default_acistrings
+
+ def _pop_targetattr(aci):
+ """Return the attr list it as a set, clear it in the ACI object
+ """
+ targetattr = aci.target.get('targetattr')
+ if targetattr:
+ attrs = targetattr['expression']
+ targetattr['expression'] = []
+ return set(t.lower() for t in attrs)
+ else:
+ return set()
+
+ current_aci = ACI(current_acistring)
+ current_attrs = _pop_targetattr(current_aci)
+ self.log.debug("Current ACI for '%s': %s",
+ current_aci.name, current_acistring)
+
+ attrs_in_all_defaults = None
+ attrs_in_any_defaults = set()
+ for default_acistring in default_acistrings:
+ default_aci = ACI(default_acistring)
+ default_attrs = _pop_targetattr(default_aci)
+ self.log.debug("Default ACI for '%s': %s",
+ default_aci.name, default_acistring)
+
+ if current_aci != default_aci:
+ self.log.debug('ACIs not compatible')
+ raise(IncompatibleACIModification())
+
+ if attrs_in_all_defaults is None:
+ attrs_in_all_defaults = set(default_attrs)
+ else:
+ attrs_in_all_defaults &= attrs_in_all_defaults
+ attrs_in_any_defaults |= default_attrs
+
+ included = current_attrs - attrs_in_any_defaults
+ excluded = attrs_in_all_defaults - current_attrs
+
+ return included, excluded
def update_entry(self, obj, entry, template,
anonymous_read_aci, is_new):
@@ -339,6 +465,7 @@ def update_entry(self, obj, entry, template,
entry.single_value['cn'] = name
template = dict(template)
+ template.pop('replaces', None)
fixup_function = template.pop('fixup_function', None)
if fixup_function:
--
1.9.0
From 84582a033db5264e432cbe3f9c34708106061046 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pvikt...@redhat.com>
Date: Wed, 14 May 2014 14:57:35 +0200
Subject: [PATCH] Convert Sudo rule default permissions to managed
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346
---
install/updates/40-delegation.update | 25 ---------------------
ipalib/plugins/sudorule.py | 43 +++++++++++++++++++++++++++++++++++-
2 files changed, 42 insertions(+), 26 deletions(-)
diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update
index 7f0f85124686fde97f35cca6dbb80614faf431d0..3f3b98799acfc7c5ae7218c3de682db35b815d2e 100644
--- a/install/updates/40-delegation.update
+++ b/install/updates/40-delegation.update
@@ -108,27 +108,6 @@ dn: cn=Sudo Administrator,cn=privileges,cn=pbac,$SUFFIX
default:cn: Sudo Administrator
default:description: Sudo Administrator
-dn: cn=Add Sudo rule,cn=permissions,cn=pbac,$SUFFIX
-default:objectClass: groupofnames
-default:objectClass: ipapermission
-default:objectClass: top
-default:cn: Add Sudo rule
-default:member: cn=Sudo Administrator,cn=privileges,cn=pbac,$SUFFIX
-
-dn: cn=Delete Sudo rule,cn=permissions,cn=pbac,$SUFFIX
-default:objectClass: groupofnames
-default:objectClass: ipapermission
-default:objectClass: top
-default:cn: Delete Sudo rule
-default:member: cn=Sudo Administrator,cn=privileges,cn=pbac,$SUFFIX
-
-dn: cn=Modify Sudo rule,cn=permissions,cn=pbac,$SUFFIX
-default:objectClass: groupofnames
-default:objectClass: ipapermission
-default:objectClass: top
-default:cn: Modify Sudo rule
-default:member: cn=Sudo Administrator,cn=privileges,cn=pbac,$SUFFIX
-
dn: cn=Add Sudo command,cn=permissions,cn=pbac,$SUFFIX
default:objectClass: groupofnames
default:objectClass: ipapermission
@@ -172,10 +151,6 @@ dn: cn=Manage Sudo command group membership,cn=permissions,cn=pbac,$SUFFIX
default:member: cn=Sudo Administrator,cn=privileges,cn=pbac,$SUFFIX
dn: $SUFFIX
-add:aci: '(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,$SUFFIX";)(version 3.0;acl "permission:Add Sudo rule";allow (add) groupdn = "ldap:///cn=Add Sudo rule,cn=permissions,cn=pbac,$SUFFIX";)'
-add:aci: '(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,$SUFFIX";)(version 3.0;acl "permission:Delete Sudo rule";allow (delete) groupdn = "ldap:///cn=Delete Sudo rule,cn=permissions,cn=pbac,$SUFFIX";)'
-add:aci: '(targetattr = "description || ipaenabledflag || usercategory || hostcategory || cmdcategory || ipasudorunasusercategory || ipasudorunasgroupcategory || externaluser || ipasudorunasextuser || ipasudorunasextgroup || memberdenycmd || memberallowcmd || memberuser")(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,$SUFFIX";)(version 3.0;acl "permission:Modify Sudo rule";allow (write) groupdn = "ldap:///cn=Modify Sudo rule,cn=permissions,cn=pbac,$SUFFIX";)'
-
remove:aci: '(targetattr = "description")(target = "ldap:///sudocmd=*,cn=sudocmds,cn=sudo,$SUFFIX";)(version 3.0;acl "permission:Modify Sudo command";allow (write) groupdn = "ldap:///cn=Modify Sudo command,cn=permissions,cn=pbac,$SUFFIX";)'
remove:aci: '(target = "ldap:///sudocmd=*,cn=sudocmds,cn=sudo,$SUFFIX";)(version 3.0;acl "permission:Delete Sudo command";allow (delete) groupdn = "ldap:///cn=Delete Sudo command,cn=permissions,cn=pbac,$SUFFIX";)'
remove:aci: '(target = "ldap:///sudocmd=*,cn=sudocmds,cn=sudo,$SUFFIX";)(version 3.0;acl "permission:Add Sudo command";allow (add) groupdn = "ldap:///cn=Add Sudo command,cn=permissions,cn=pbac,$SUFFIX";)'
diff --git a/ipalib/plugins/sudorule.py b/ipalib/plugins/sudorule.py
index 627b4b975f6336658eb74d37b4c15d803511c5d4..d9a1ecace141a403862777e049de72b317a53134 100644
--- a/ipalib/plugins/sudorule.py
+++ b/ipalib/plugins/sudorule.py
@@ -144,7 +144,48 @@ class sudorule(LDAPObject):
'sudorunasuser', 'sudorunasgroup', 'sudooption',
'sudonotbefore', 'sudonotafter', 'sudoorder', 'description',
},
- }
+ },
+ 'System: Add Sudo rule': {
+ 'ipapermbindruletype': 'permission',
+ 'ipapermright': {'add'},
+ 'ipapermdefaultattr': {
+ 'cmdcategory', 'cn', 'description', 'externalhost',
+ 'externaluser', 'hostcategory', 'hostmask', 'ipaenabledflag',
+ 'ipasudoopt', 'ipasudorunas', 'ipasudorunasextgroup',
+ 'ipasudorunasextuser', 'ipasudorunasgroup',
+ 'ipasudorunasgroupcategory', 'ipasudorunasusercategory',
+ 'ipauniqueid', 'memberallowcmd', 'memberdenycmd',
+ 'memberhost', 'memberuser', 'sudonotafter', 'sudonotbefore',
+ 'sudoorder', 'usercategory', 'objectclass',
+ },
+ 'replaces': [
+ '(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,$SUFFIX";)(version 3.0;acl "permission:Add Sudo rule";allow (add) groupdn = "ldap:///cn=Add Sudo rule,cn=permissions,cn=pbac,$SUFFIX";)',
+ ],
+ 'default_privileges': {'Sudo Administrator'},
+ },
+ 'System: Delete Sudo rule': {
+ 'ipapermbindruletype': 'permission',
+ 'ipapermright': {'delete'},
+ 'replaces': [
+ '(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,$SUFFIX";)(version 3.0;acl "permission:Delete Sudo rule";allow (delete) groupdn = "ldap:///cn=Delete Sudo rule,cn=permissions,cn=pbac,$SUFFIX";)',
+ ],
+ 'default_privileges': {'Sudo Administrator'},
+ },
+ 'System: Modify Sudo rule': {
+ 'ipapermbindruletype': 'permission',
+ 'ipapermright': {'write'},
+ 'ipapermdefaultattr': {
+ 'description', 'ipaenabledflag', 'usercategory',
+ 'hostcategory', 'cmdcategory', 'ipasudorunasusercategory',
+ 'ipasudorunasgroupcategory', 'externaluser',
+ 'ipasudorunasextuser', 'ipasudorunasextgroup', 'memberdenycmd',
+ 'memberallowcmd', 'memberuser',
+ },
+ 'replaces': [
+ '(targetattr = "description || ipaenabledflag || usercategory || hostcategory || cmdcategory || ipasudorunasusercategory || ipasudorunasgroupcategory || externaluser || ipasudorunasextuser || ipasudorunasextgroup || memberdenycmd || memberallowcmd || memberuser")(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,$SUFFIX";)(version 3.0;acl "permission:Modify Sudo rule";allow (write) groupdn = "ldap:///cn=Modify Sudo rule,cn=permissions,cn=pbac,$SUFFIX";)',
+ ],
+ 'default_privileges': {'Sudo Administrator'},
+ },
}
label = _('Sudo Rules')
--
1.9.0
From 4ed361699cff2e10a1e8060979ce3ddf31b88aeb Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pvikt...@redhat.com>
Date: Wed, 14 May 2014 15:10:10 +0200
Subject: [PATCH] Add missing attributes to 'Modify Sudo rule' permission
https://fedorahosted.org/freeipa/ticket/4344
---
ipalib/plugins/sudorule.py | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/ipalib/plugins/sudorule.py b/ipalib/plugins/sudorule.py
index d9a1ecace141a403862777e049de72b317a53134..bd75953ac6dbc0252e51bd9086c55988caff39f5 100644
--- a/ipalib/plugins/sudorule.py
+++ b/ipalib/plugins/sudorule.py
@@ -179,7 +179,10 @@ class sudorule(LDAPObject):
'hostcategory', 'cmdcategory', 'ipasudorunasusercategory',
'ipasudorunasgroupcategory', 'externaluser',
'ipasudorunasextuser', 'ipasudorunasextgroup', 'memberdenycmd',
- 'memberallowcmd', 'memberuser',
+ 'memberallowcmd', 'memberuser', 'memberhost', 'externalhost',
+ 'sudonotafter', 'hostmask', 'sudoorder', 'sudonotbefore',
+ 'ipasudorunas', 'externalhost', 'ipasudorunasgroup',
+ 'ipasudoopt', 'memberhost',
},
'replaces': [
'(targetattr = "description || ipaenabledflag || usercategory || hostcategory || cmdcategory || ipasudorunasusercategory || ipasudorunasgroupcategory || externaluser || ipasudorunasextuser || ipasudorunasextgroup || memberdenycmd || memberallowcmd || memberuser")(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,$SUFFIX";)(version 3.0;acl "permission:Modify Sudo rule";allow (write) groupdn = "ldap:///cn=Modify Sudo rule,cn=permissions,cn=pbac,$SUFFIX";)',
--
1.9.0
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
