On 06/04/2014 10:15 AM, Martin Kosek wrote:
On 06/03/2014 02:41 PM, Petr Viktorin wrote:
On 05/28/2014 04:36 PM, Petr Viktorin wrote:
On 05/28/2014 04:27 PM, Petr Viktorin wrote:
On 05/27/2014 04:20 PM, Martin Kosek wrote:
On 05/26/2014 04:44 PM, Petr Viktorin wrote:
On 05/22/2014 03:07 PM, Petr Viktorin wrote:
Hello,
Here I start upgrading  the existing default permissions to the new
Managed style.

https://fedorahosted.org/freeipa/ticket/4346

The patches rely on my patch 0551
(https://fedorahosted.org/freeipa/ticket/4349)
You may run into what seems to be a 389 bug. If you get a "Midair
Collision" (NO_SUCH_ATTRIBUTE) error, restart the DS and try running
ipa-ldap-updater again. I'm working with Ludwig on this one.



The operation is now described at
http://www.freeipa.org/page/V4/Managed_Read_permissions#Replacing_legacy_default_permissions






If there user has modified an old default permission, a warning is
logged the replacement permission is not added/updated. The user needs
to evaluate the situation: either update the old permission to match
the
original default, or remove the old permission, and then run
ipa-ldap-updater will create the new one.
Is bailing out the right thing to do if the old entry was modified?

Forcing user to remove old permission and create new one seems as a
too much
work to me. After the upgrade, we need to be sure that the managed
permissions
is there.

Note that this only happens if the user changed the permissions, so we
need to be extra careful to respect their wishes.

What is the problem of having both 2 permissions in the DS? The old
modified
permission and the new system managed one? As we are dealing with allow
permissions, having 2 of them should be harmless.

The new one could be granting too much access, the admin might have
wanted to restrict the defaults.


It could be possible to parse the permission, figure out the changes
the
user made, and apply them to the new one, but that seems like too much
guesswork to me.

Maybe we could do the same we do with managed permissions upgrades?
Only allow
differences in the list of attributes? I am thinking that people could
hotfix
missing attributes at permissions themselves (like adding description to
sudorule permission), this would lead to duplicate permissions later.

What we could do when old ACI differs only in allowed attributes is to
compare
it to defaults and set whitelist and blacklist attributes of the new
managed
permission. Then we can safely delete the old ACI (with warning).

If you think this is too much work, we can keep the old behavior and
just add
duplicate ACI.

Having duplicate permissions would be possible, after all they have a
different name. However I'd expect that most people would still want to
delete the old ones, rather than letting them hide among user-defined
permissions.

On the other hand, my approach has a downside as well: if the
'memberallowcmd' attribute was removed from 'Modify Sudo rule',
there's
now no way to upgrade while allowing access but keeping that attribute
off-limits, short of writing deny a ACI by hand. How big a problem is
this? It might be worth it to create a special tool that upgrades a
single permission and allows setting the excluded/included attributes
explicitly.

This problem would be removed with my approach proposed above.

There are some interesting scenarios to think about with respect to
upgrades and user changes:

* Upgrade to old version, e.g.
     - have IPA 3.2 master, IPA 3.2 replica
     - upgrade master to 4.0 (old permissions are updated)
     - then upgrade replica to 3.3 (old permissions are added again!)

This is AFAIK not supported but it does happen.
We can't change old IPA versions, so any upgrade to a pre-4.0 IPA will
always add the old permissions, but with this patch, a subsequent
upgrade to 4.0+, or running a 4.0+ ipa-ldap-update, will remove the
old
permissions again.

Hm, I think this is the best option we have. We should warn about this
behavior
in our release notes though.

Tied to that is another scenario:

* Re-create permissions with old names
     - have IPA 4.0 master
     - Create a permission named 'Modify Sudo rule'
     - Upgrade to IPA 4.1

Here we need to make sure the new permission is *not* removed,
because a
new 'Modify Sudo rule' permission is no longer special in any way. To
ensure this the updater only removes old-style permissions.

Right, we can decide based on objectclasses - whether permissionsv2 OC
is there
or not.


One thing that can happen when 4.0 masters are still mixed with 3.x is
that an old permission named 'Modify Sudo rule' is added on the old
server. Any update to 4.0+ will remove that.
Old-style default permissions were sorta-kinda managed by IPA itself
anyway, so users should expect this. We should still point it out in
the
docs though, since I expect some users to start messing with the
permissions before upgrading all of the infrastructure to 4.0.

+1, I would just point out that behavior in the release notes.

The second patch upgrades sudorule permissions, this server as an
example of how the  will work.
The third patch fixes https://fedorahosted.org/freeipa/ticket/4344

The user read permissions patches had a conflict with these;
attaching rebased
version.

Now the actual review
552.2: worked fine for me. Some updates will probably be needed
though, based
on the discussion above.

553.2:

1) Why should we bother specifying ipapermdefaultattr for "add" ACIs?
Looks
like a noop to me, it was also never part of our add ACIs.

Simo, I hazily remember discussing that we should only allow specific
attributes on add, otherwise users can add entries with any extra
objectclasses and attributes. Did we come to a conclusion?
I might have confused targetattr with targetattrfilter in my notes;
since I see targetarr is ineffective.

OK, this was just me confused. As Ludwig told me,
for adding an entry you need add rights for the entry and write rights
for each attribute, so in the add aci the targetattrs are irrelevant.
so I'll remove them from the add ACI.

I tried to strip that down to just "description" and I was still able
to add a
whole new SUDO rule. Ludwig, is that correct - does DS ignore (should
it?)
targetattr part of add ACI?

2) You stated 'System: Modify Sudo rule' as "add" ACI, making it
ineffective.
Privileged user still cannot update all SUDO rule attributes.

Duh. I've been staring at this too long.

Besides that, the ACIs were working fine.

The attached version looks at the old permission in LDAP and if it differs from
the old default only in the targetattrs, it transplants the difference to the
new managed permission.

There is a lot of logging here so if something didn't work the way you
expected, at least you'll know what happened.

When there were multiple defaults, i.e. IPA added/removed some attributes in
some version: the new managed permission's attributes will be applied, so
upgrades from both very old and not-so-old versions should "do the right thing".

If the old permission differs in something else than targetattrs, an error is
logged (this will show up in yum update output), and as before the new managed
permission is not created. The user now has 3 options to fix this:
- Delete the old permission, then run ipa-ldap-updater to create the new 
default.

This will probably be the safest route to go for users.

- Modify the old permission on an *old* system to match the old default,
possibly with targetattr changes, then run a *new* ipa-ldap-updater to convert
that to the new default
- Modify the old permission on a *new* system, which changes it to a V2
permission, then run ipa-ldap-updater to create the new default, ending up with
both permissions.

The distinction betwen the last two is subtle and error-prone, but
1) I don't see a better way, considering that future upgrades need to work well
(in IPA 4.0+ a user-created permission named "Add Sudo Rule" has no special
status)
2) I'm hoping that people didn't modify the old default permissions that much;
if they did they should have felt some pain already -- I don't think the update
system in 3.x would handle such changes wery well

I would personally still be more forceful, especially given the arguments you
gave in 2) and just log the old too-modified ACI and convert it to the new
style, but there are not many followers to this opinion though...

On the other hand, if someone did this kind of thing they probably (thought they) knew what they were doing, so they deserve a chance for manual intervention.

Apply my patch 0565 before trying these out.


Some testing tips:
- Create 3.x master and replica
- Upgrade master RPMs with these patches
- to add old permissions, run ipa-ldap-updater on the replica
- to simulate an upgrade, run ipa-ldap-updater on the master
- to delete a managed permission:
$ curl -v -H Content-Type:application/json -H Accept:applicaton/json
--negotiate -u : --delegation always --cacert /etc/ipa/ca.crt -X POST -H
referer:https://`hostname`/ipa/json -d '{"method": "permission_del",
"params":[["$PERMISSION_NAME"],{"force":true}], "id":0 }'
https://`hostname`/ipa/json
- be careful where you run permission-mod; on 4.0 it will convert the
permission to V2

In my tests, the upgrade from 3.x worked as expected so that went well. What I
still miss is a removal of ipapermdefaultattr in Add ACI in 553.3. As we
mentioned earlier, it is a NOOP and rather confuses people instead of improving
anything. Besides that, I did not spot any pending error.

Ah, sorry, I rebased on the wrong patch.
Here is the fixed version.


--
PetrĀ³

From 23ca7e70034ade6b55d1f925f8d63d5019e1e7ec Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pvikt...@redhat.com>
Date: Wed, 14 May 2014 16:08:28 +0200
Subject: [PATCH] Add mechanism for updating permissions to managed

Part of the work for: https://fedorahosted.org/freeipa/ticket/4346
---
 .../install/plugins/update_managed_permissions.py  | 139 ++++++++++++++++++++-
 1 file changed, 133 insertions(+), 6 deletions(-)

diff --git a/ipaserver/install/plugins/update_managed_permissions.py b/ipaserver/install/plugins/update_managed_permissions.py
index c9994c77d390a85bfa954231dc8114aeb19709d6..13433d353cd09de77029fd76f7070bf79a432774 100644
--- a/ipaserver/install/plugins/update_managed_permissions.py
+++ b/ipaserver/install/plugins/update_managed_permissions.py
@@ -64,6 +64,9 @@
 * non_object
   - If true, no object-specific defaults are used (e.g. for
     ipapermtargetfilter, ipapermlocation).
+* replaces
+  - A list of ACIs corresponding to legacy default permissions replaced
+    by this permission.
 * fixup_function
   - A callable that may modify the template in-place before it is applied.
   - Called with the permission name, template dict, and keyword arguments:
@@ -80,8 +83,9 @@
 from ipapython.dn import DN
 from ipalib.plugable import Registry
 from ipalib.plugins import aci
-from ipalib.plugins.permission import permission
+from ipalib.plugins.permission import permission, permission_del
 from ipalib.aci import ACI
+from ipapython import ipautil
 from ipaserver.plugins.ldap2 import ldap2
 from ipaserver.install.plugins import LAST
 from ipaserver.install.plugins.baseupdate import PostUpdate
@@ -228,6 +232,10 @@
 }
 
 
+class IncompatibleACIModification(Exception):
+    """User has made a legacy default perm modification we can't handle"""
+
+
 @register()
 class update_managed_permissions(PostUpdate):
     """Update managed permissions after an update.
@@ -302,9 +310,10 @@ def update_permission(self, ldap, obj, name, template, anonymous_read_aci):
         assert name.startswith('System:')
 
         dn = self.api.Object[permission].get_dn(name)
+        permission_plugin = self.api.Object[permission]
 
         try:
-            attrs_list = list(self.api.Object[permission].default_attributes)
+            attrs_list = list(permission_plugin.default_attributes)
             attrs_list.remove('memberindirect')
             entry = ldap.get_entry(dn, attrs_list)
             is_new = False
@@ -312,10 +321,63 @@ def update_permission(self, ldap, obj, name, template, anonymous_read_aci):
             entry = ldap.make_entry(dn)
             is_new = True
 
-        self.log.debug('Updating managed permission: %s', name)
         self.update_entry(obj, entry, template,
                           anonymous_read_aci, is_new=is_new)
 
+        remove_legacy = False
+        if 'replaces' in template:
+            sub_dict = {
+                'SUFFIX': str(self.api.env.basedn),
+            }
+            legacy_acistrs = [ipautil.template_str(r, sub_dict)
+                              for r in template['replaces']]
+
+            legacy_aci = ACI(legacy_acistrs[0])
+            prefix, sep, legacy_name = legacy_aci.name.partition(':')
+            assert prefix == 'permission' and sep
+
+            legacy_dn = permission_plugin.get_dn(legacy_name)
+            try:
+                legacy_entry = ldap.get_entry(legacy_dn,
+                                              ['ipapermissiontype', 'cn'])
+            except errors.NotFound:
+                self.log.debug("Legacy permission %s not found", legacy_name)
+            else:
+                if 'ipapermissiontype' not in legacy_entry:
+                    if is_new:
+                        acientry, acistr = (
+                            permission_plugin._get_aci_entry_and_string(
+                                legacy_entry, notfound_ok=True))
+                        try:
+                            included, excluded = self.get_upgrade_attr_lists(
+                                acistr, legacy_acistrs)
+                        except IncompatibleACIModification:
+                            self.log.error(
+                                "Permission '%s' has been modified from its "
+                                "default; not updating it to '%s'.",
+                                legacy_name, name)
+                            return
+                        else:
+                            self.log.debug("Merging attributes from legacy "
+                                           "permission '%s'", legacy_name)
+                            self.log.debug("Included attrs: %s",
+                                           ', '.join(sorted(included)))
+                            self.log.debug("Excluded attrs: %s",
+                                           ', '.join(sorted(excluded)))
+                            entry['ipapermincludedattr'] = list(included)
+                            entry['ipapermexcludedattr'] = list(excluded)
+                            remove_legacy = True
+                    else:
+                        self.log.debug("Ignoring attributes in legacy "
+                                       "permission '%s' because '%s' exists",
+                                       legacy_name, name)
+                        remove_legacy = True
+                else:
+                    self.log.debug("Ignoring V2 permission named '%s'" %
+                                   legacy_name)
+
+        update_aci = True
+        self.log.debug('Updating managed permission: %s', name)
         if is_new:
             ldap.add_entry(entry)
         else:
@@ -323,11 +385,75 @@ def update_permission(self, ldap, obj, name, template, anonymous_read_aci):
                 ldap.update_entry(entry)
             except errors.EmptyModlist:
                 self.log.debug('No changes to permission: %s', name)
-                return
+                update_aci = False
 
-        self.log.debug('Updating ACI for managed permission: %s', name)
+        if update_aci:
+            self.log.debug('Updating ACI for managed permission: %s', name)
+            permission_plugin.update_aci(entry)
 
-        self.api.Object[permission].update_aci(entry)
+        if remove_legacy:
+            self.log.info("Removing legacy permission '%s'", legacy_name)
+            self.api.Command[permission_del](unicode(legacy_name))
+
+    def get_upgrade_attr_lists(self, current_acistring, default_acistrings):
+        """Compute included and excluded attributes for a new permission
+
+        :param current_acistring: ACI is in LDAP currently
+        :param default_acistrings:
+            List of all default ACIs IPA historically used for this permission
+        :return:
+            (ipapermincludedattr, ipapermexcludedattr) for the upgraded
+            permission
+
+        An attribute will be included if the user has it in LDAP but it does
+        not appear in *any* historic ACI.
+        It will be excluded if it is in *all* historic ACIs but not in LDAP.
+
+        If the ACIs differ in something else than the list of attributes,
+        raise IncompatibleACIModification. This means manual action is needed
+        (either delete the old permission or change it to resemble the default
+        again, then re-run ipa-ldap-updater)
+        """
+        assert default_acistrings
+
+        def _pop_targetattr(aci):
+            """Return the attr list it as a set, clear it in the ACI object
+            """
+            targetattr = aci.target.get('targetattr')
+            if targetattr:
+                attrs = targetattr['expression']
+                targetattr['expression'] = []
+                return set(t.lower() for t in attrs)
+            else:
+                return set()
+
+        current_aci = ACI(current_acistring)
+        current_attrs = _pop_targetattr(current_aci)
+        self.log.debug("Current ACI for '%s': %s",
+                       current_aci.name, current_acistring)
+
+        attrs_in_all_defaults = None
+        attrs_in_any_defaults = set()
+        for default_acistring in default_acistrings:
+            default_aci = ACI(default_acistring)
+            default_attrs = _pop_targetattr(default_aci)
+            self.log.debug("Default ACI for '%s': %s",
+                           default_aci.name, default_acistring)
+
+            if current_aci != default_aci:
+                self.log.debug('ACIs not compatible')
+                raise(IncompatibleACIModification())
+
+            if attrs_in_all_defaults is None:
+                attrs_in_all_defaults = set(default_attrs)
+            else:
+                attrs_in_all_defaults &= attrs_in_all_defaults
+            attrs_in_any_defaults |= default_attrs
+
+        included = current_attrs - attrs_in_any_defaults
+        excluded = attrs_in_all_defaults - current_attrs
+
+        return included, excluded
 
     def update_entry(self, obj, entry, template,
                      anonymous_read_aci, is_new):
@@ -339,6 +465,7 @@ def update_entry(self, obj, entry, template,
         entry.single_value['cn'] = name
 
         template = dict(template)
+        template.pop('replaces', None)
 
         fixup_function = template.pop('fixup_function', None)
         if fixup_function:
-- 
1.9.0

From 14cfa72b070786a5595901adc2bd0db9c60302b6 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pvikt...@redhat.com>
Date: Wed, 14 May 2014 14:57:35 +0200
Subject: [PATCH] Convert Sudo rule default permissions to managed

Part of the work for: https://fedorahosted.org/freeipa/ticket/4346
---
 install/updates/40-delegation.update | 25 -------------------------
 ipalib/plugins/sudorule.py           | 33 ++++++++++++++++++++++++++++++++-
 2 files changed, 32 insertions(+), 26 deletions(-)

diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update
index 7f0f85124686fde97f35cca6dbb80614faf431d0..3f3b98799acfc7c5ae7218c3de682db35b815d2e 100644
--- a/install/updates/40-delegation.update
+++ b/install/updates/40-delegation.update
@@ -108,27 +108,6 @@ dn: cn=Sudo Administrator,cn=privileges,cn=pbac,$SUFFIX
 default:cn: Sudo Administrator
 default:description: Sudo Administrator
 
-dn: cn=Add Sudo rule,cn=permissions,cn=pbac,$SUFFIX
-default:objectClass: groupofnames
-default:objectClass: ipapermission
-default:objectClass: top
-default:cn: Add Sudo rule
-default:member: cn=Sudo Administrator,cn=privileges,cn=pbac,$SUFFIX
-
-dn: cn=Delete Sudo rule,cn=permissions,cn=pbac,$SUFFIX
-default:objectClass: groupofnames
-default:objectClass: ipapermission
-default:objectClass: top
-default:cn: Delete Sudo rule
-default:member: cn=Sudo Administrator,cn=privileges,cn=pbac,$SUFFIX
-
-dn: cn=Modify Sudo rule,cn=permissions,cn=pbac,$SUFFIX
-default:objectClass: groupofnames
-default:objectClass: ipapermission
-default:objectClass: top
-default:cn: Modify Sudo rule
-default:member: cn=Sudo Administrator,cn=privileges,cn=pbac,$SUFFIX
-
 dn: cn=Add Sudo command,cn=permissions,cn=pbac,$SUFFIX
 default:objectClass: groupofnames
 default:objectClass: ipapermission
@@ -172,10 +151,6 @@ dn: cn=Manage Sudo command group membership,cn=permissions,cn=pbac,$SUFFIX
 default:member: cn=Sudo Administrator,cn=privileges,cn=pbac,$SUFFIX
 
 dn: $SUFFIX
-add:aci: '(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,$SUFFIX";)(version 3.0;acl "permission:Add Sudo rule";allow (add) groupdn = "ldap:///cn=Add Sudo rule,cn=permissions,cn=pbac,$SUFFIX";)'
-add:aci: '(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,$SUFFIX";)(version 3.0;acl "permission:Delete Sudo rule";allow (delete) groupdn = "ldap:///cn=Delete Sudo rule,cn=permissions,cn=pbac,$SUFFIX";)'
-add:aci: '(targetattr = "description || ipaenabledflag || usercategory || hostcategory || cmdcategory || ipasudorunasusercategory || ipasudorunasgroupcategory || externaluser || ipasudorunasextuser || ipasudorunasextgroup || memberdenycmd || memberallowcmd || memberuser")(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,$SUFFIX";)(version 3.0;acl "permission:Modify Sudo rule";allow (write) groupdn = "ldap:///cn=Modify Sudo rule,cn=permissions,cn=pbac,$SUFFIX";)'
-
 remove:aci: '(targetattr = "description")(target = "ldap:///sudocmd=*,cn=sudocmds,cn=sudo,$SUFFIX";)(version 3.0;acl "permission:Modify Sudo command";allow (write) groupdn = "ldap:///cn=Modify Sudo command,cn=permissions,cn=pbac,$SUFFIX";)'
 remove:aci: '(target = "ldap:///sudocmd=*,cn=sudocmds,cn=sudo,$SUFFIX";)(version 3.0;acl "permission:Delete Sudo command";allow (delete) groupdn = "ldap:///cn=Delete Sudo command,cn=permissions,cn=pbac,$SUFFIX";)'
 remove:aci: '(target = "ldap:///sudocmd=*,cn=sudocmds,cn=sudo,$SUFFIX";)(version 3.0;acl "permission:Add Sudo command";allow (add) groupdn = "ldap:///cn=Add Sudo command,cn=permissions,cn=pbac,$SUFFIX";)'
diff --git a/ipalib/plugins/sudorule.py b/ipalib/plugins/sudorule.py
index 627b4b975f6336658eb74d37b4c15d803511c5d4..658cc06baab3691e045784f7f95a25fe103cfd56 100644
--- a/ipalib/plugins/sudorule.py
+++ b/ipalib/plugins/sudorule.py
@@ -144,7 +144,38 @@ class sudorule(LDAPObject):
                 'sudorunasuser', 'sudorunasgroup', 'sudooption',
                 'sudonotbefore', 'sudonotafter', 'sudoorder', 'description',
             },
-        }
+        },
+        'System: Add Sudo rule': {
+            'ipapermbindruletype': 'permission',
+            'ipapermright': {'add'},
+            'replaces': [
+                '(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,$SUFFIX";)(version 3.0;acl "permission:Add Sudo rule";allow (add) groupdn = "ldap:///cn=Add Sudo rule,cn=permissions,cn=pbac,$SUFFIX";)',
+            ],
+            'default_privileges': {'Sudo Administrator'},
+        },
+        'System: Delete Sudo rule': {
+            'ipapermbindruletype': 'permission',
+            'ipapermright': {'delete'},
+            'replaces': [
+                '(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,$SUFFIX";)(version 3.0;acl "permission:Delete Sudo rule";allow (delete) groupdn = "ldap:///cn=Delete Sudo rule,cn=permissions,cn=pbac,$SUFFIX";)',
+            ],
+            'default_privileges': {'Sudo Administrator'},
+        },
+        'System: Modify Sudo rule': {
+            'ipapermbindruletype': 'permission',
+            'ipapermright': {'write'},
+            'ipapermdefaultattr': {
+                'description', 'ipaenabledflag', 'usercategory',
+                'hostcategory', 'cmdcategory', 'ipasudorunasusercategory',
+                'ipasudorunasgroupcategory', 'externaluser',
+                'ipasudorunasextuser', 'ipasudorunasextgroup', 'memberdenycmd',
+                'memberallowcmd', 'memberuser',
+            },
+            'replaces': [
+                '(targetattr = "description || ipaenabledflag || usercategory || hostcategory || cmdcategory || ipasudorunasusercategory || ipasudorunasgroupcategory || externaluser || ipasudorunasextuser || ipasudorunasextgroup || memberdenycmd || memberallowcmd || memberuser")(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,$SUFFIX";)(version 3.0;acl "permission:Modify Sudo rule";allow (write) groupdn = "ldap:///cn=Modify Sudo rule,cn=permissions,cn=pbac,$SUFFIX";)',
+            ],
+            'default_privileges': {'Sudo Administrator'},
+        },
     }
 
     label = _('Sudo Rules')
-- 
1.9.0

From 0de727ff846181ba614bdc3b01dc3bba5468cab5 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pvikt...@redhat.com>
Date: Wed, 14 May 2014 15:10:10 +0200
Subject: [PATCH] Add missing attributes to 'Modify Sudo rule' permission

https://fedorahosted.org/freeipa/ticket/4344
---
 ipalib/plugins/sudorule.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/ipalib/plugins/sudorule.py b/ipalib/plugins/sudorule.py
index 658cc06baab3691e045784f7f95a25fe103cfd56..5520a37eed5a2a7e5034749a87af0e1d31e08969 100644
--- a/ipalib/plugins/sudorule.py
+++ b/ipalib/plugins/sudorule.py
@@ -169,7 +169,10 @@ class sudorule(LDAPObject):
                 'hostcategory', 'cmdcategory', 'ipasudorunasusercategory',
                 'ipasudorunasgroupcategory', 'externaluser',
                 'ipasudorunasextuser', 'ipasudorunasextgroup', 'memberdenycmd',
-                'memberallowcmd', 'memberuser',
+                'memberallowcmd', 'memberuser', 'memberhost', 'externalhost',
+                'sudonotafter', 'hostmask', 'sudoorder', 'sudonotbefore',
+                'ipasudorunas', 'externalhost', 'ipasudorunasgroup',
+                'ipasudoopt', 'memberhost',
             },
             'replaces': [
                 '(targetattr = "description || ipaenabledflag || usercategory || hostcategory || cmdcategory || ipasudorunasusercategory || ipasudorunasgroupcategory || externaluser || ipasudorunasextuser || ipasudorunasextgroup || memberdenycmd || memberallowcmd || memberuser")(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,$SUFFIX";)(version 3.0;acl "permission:Modify Sudo rule";allow (write) groupdn = "ldap:///cn=Modify Sudo rule,cn=permissions,cn=pbac,$SUFFIX";)',
-- 
1.9.0

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to