On 06/06/2014 11:38 AM, Martin Kosek wrote:
On 06/04/2014 06:43 PM, Petr Viktorin wrote:
Hello,
I try to think about any kind of data the user might have in LDAP, but in the
spirit of YAGNI, I'll deal with the various corner cases in IPA's historic
default permissions as I go along.
Patch 0568 adds support for the case where the default permissions changed in
something else than attribute lists. Needed for the 'Change User password'
permission.
Patch 0569 converts user permissions to managed.
Patch 0570 fixes https://fedorahosted.org/freeipa/ticket/3697
1) Add aci has targetfilter part - is that intentional?
Yes.
From the permission plugin''s point of view, it's part of the
definition of --type user (i.e. "this applies to users").
Regardless I think it should be there.
# ipa permission-show 'System: Add Users' --all --raw
...
aci: (targetfilter = "(objectclass=posixaccount)")(version 3.0;acl
"permission:System: Add Users";allow (add) groupdn = "ldap:///cn=System: Add
Users,cn=permissions,cn=pbac,dc=mkosek-fedora20,dc=test";)
This part IS effective though, so it may not be a bad thing at all, to keep it
in the ACI:
# ldapadd -Y GSSAPI
SASL/GSSAPI authentication started
SASL username: [email protected]
SASL SSF: 56
SASL data security layer installed.
dn: cn=foo,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test
objectclass: top
objectclass: nscontainer
cn: foo
adding new entry "cn=foo,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test"
ldap_add: Insufficient access (50)
additional info: Insufficient 'add' privilege to add the entry
'cn=foo,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test'.
# ipa user-add --first=Foo --last Bar fbar2
------------------
Added user "fbar2"
------------------
User login: fbar2
First name: Foo
...
2) System: Add User to default group
I was wondering whether we should keep the AluCI in cn=groups container or
directly with the group, but I think the group itself is a good idea. (Unless
someone deletes and recreates it).
Hm, this is a good point. If the ipausers group is deleted, there'll be
an permission with a missing ACI that can't be created. That could be
quite annoying.
I put the ACI it in the container.
3) System: Change User password
I hit some nasty DS error which prevented authorized user to update password.
ACI log attached. Ludwig, does that ring any bell?
The ACI itself looks OK though as after I restarted DS, it started to work.
Maybe DS did not cache the ACIs properly after upgrade?
Which DS version are you using?
4) When running user unit tests, I found couple issues:
a) Some attributes we may still miss in the permissions:
- krbPrincipalExpiration
- userclass
- ipaUserAuthType
- preferredLanguage
I am thinking we could base Modify Users permission on the read one and add
regular attributes there
I put in userclass and preferredLanguage.
I'm not sure about the other two; should regular user admins be able to
change these?
b) Read membership ACIs for users and groups miss "member" attribute and thus
indirect/direct processing goes wrong.
Added.
--
PetrĀ³
From cbf9d15a6c0a3bb02d3c84594e8f299dd40f831e Mon Sep 17 00:00:00 2001
From: Petr Viktorin <[email protected]>
Date: Wed, 4 Jun 2014 16:11:30 +0200
Subject: [PATCH] managed perm updater: Handle case where we changed default
ACIs in the past
This handles the case where IPA's default ACIs changed in something else
than just attribute lists.
In this case we can narrow the set of ACIs we think the user might be
upgrading from.
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346
---
.../install/plugins/update_managed_permissions.py | 20 ++++++++++++++++++--
1 file changed, 18 insertions(+), 2 deletions(-)
diff --git a/ipaserver/install/plugins/update_managed_permissions.py b/ipaserver/install/plugins/update_managed_permissions.py
index 13433d353cd09de77029fd76f7070bf79a432774..e6f852c09d1a732109da5d56320192d4e617ab38 100644
--- a/ipaserver/install/plugins/update_managed_permissions.py
+++ b/ipaserver/install/plugins/update_managed_permissions.py
@@ -408,11 +408,20 @@ def get_upgrade_attr_lists(self, current_acistring, default_acistrings):
An attribute will be included if the user has it in LDAP but it does
not appear in *any* historic ACI.
It will be excluded if it is in *all* historic ACIs but not in LDAP.
+ Rationale: When we don't know which version of an ACI the user is
+ upgrading from, we only consider attributes where all the versions
+ agree. For other attrs we'll use the default from the new managed perm.
If the ACIs differ in something else than the list of attributes,
raise IncompatibleACIModification. This means manual action is needed
(either delete the old permission or change it to resemble the default
- again, then re-run ipa-ldap-updater)
+ again, then re-run ipa-ldap-updater).
+
+ In case there are multiple historic default ACIs, and some of them
+ are compatible with the current but other ones aren't, we deduce that
+ the user is upgrading from one of the compatible ones.
+ The incompatible ones are removed from consideration, both for
+ compatibility and attribute lists.
"""
assert default_acistrings
@@ -434,6 +443,7 @@ def _pop_targetattr(aci):
attrs_in_all_defaults = None
attrs_in_any_defaults = set()
+ all_incompatible = True
for default_acistring in default_acistrings:
default_aci = ACI(default_acistring)
default_attrs = _pop_targetattr(default_aci)
@@ -442,7 +452,9 @@ def _pop_targetattr(aci):
if current_aci != default_aci:
self.log.debug('ACIs not compatible')
- raise(IncompatibleACIModification())
+ continue
+ else:
+ all_incompatible = False
if attrs_in_all_defaults is None:
attrs_in_all_defaults = set(default_attrs)
@@ -450,6 +462,10 @@ def _pop_targetattr(aci):
attrs_in_all_defaults &= attrs_in_all_defaults
attrs_in_any_defaults |= default_attrs
+ if all_incompatible:
+ self.log.debug('All old default ACIs are incompatible')
+ raise(IncompatibleACIModification())
+
included = current_attrs - attrs_in_any_defaults
excluded = attrs_in_all_defaults - current_attrs
--
1.9.0
From c60049d174dc36dbef4a0d978e9ec14c275cab3b Mon Sep 17 00:00:00 2001
From: Petr Viktorin <[email protected]>
Date: Wed, 4 Jun 2014 15:21:26 +0200
Subject: [PATCH] Convert User default permissions to managed
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346
---
install/share/delegation.ldif | 72 ------------------------------
install/updates/40-delegation.update | 16 -------
ipalib/plugins/user.py | 85 ++++++++++++++++++++++++++++++++++++
3 files changed, 85 insertions(+), 88 deletions(-)
diff --git a/install/share/delegation.ldif b/install/share/delegation.ldif
index 43d13974ffd63ea6ee554c815b911715609149b8..2c712bfc174b3151a5bf69e37ebfe58f2fff96f4 100644
--- a/install/share/delegation.ldif
+++ b/install/share/delegation.ldif
@@ -133,65 +133,6 @@ dn: cn=Host Enrollment,cn=privileges,cn=pbac,$SUFFIX
# Default permissions.
############################################
-# User administration
-
-dn: cn=Add Users,cn=permissions,cn=pbac,$SUFFIX
-changetype: add
-objectClass: top
-objectClass: groupofnames
-objectClass: ipapermission
-cn: Add Users
-member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX
-
-dn: cn=Change a user password,cn=permissions,cn=pbac,$SUFFIX
-changetype: add
-objectClass: top
-objectClass: groupofnames
-objectClass: ipapermission
-cn: Change a user password
-member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX
-
-dn: cn=Add user to default group,cn=permissions,cn=pbac,$SUFFIX
-changetype: add
-objectClass: top
-objectClass: groupofnames
-objectClass: ipapermission
-cn: Add user to default group
-member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX
-
-dn: cn=Unlock user accounts,cn=permissions,cn=pbac,$SUFFIX
-changetype: add
-objectclass: top
-objectclass: groupofnames
-objectClass: ipapermission
-cn: Unlock user accounts
-member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX
-member: cn=admins,cn=groups,cn=accounts,$SUFFIX
-
-dn: cn=Remove Users,cn=permissions,cn=pbac,$SUFFIX
-changetype: add
-objectClass: top
-objectClass: groupofnames
-objectClass: ipapermission
-cn: Remove Users
-member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX
-
-dn: cn=Modify Users,cn=permissions,cn=pbac,$SUFFIX
-changetype: add
-objectClass: top
-objectClass: groupofnames
-objectClass: ipapermission
-cn: Modify Users
-member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX
-
-dn: cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,$SUFFIX
-changetype: add
-objectClass: top
-objectClass: groupofnames
-objectClass: ipapermission
-cn: Manage User SSH Public Keys
-member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX
-
# Group administration
dn: cn=Add Groups,cn=permissions,cn=pbac,$SUFFIX
@@ -521,19 +462,6 @@ dn: cn=Modify DNA Range,cn=permissions,cn=pbac,$SUFFIX
# Default permissions (ACIs)
############################################
-# User administration
-
-dn: $SUFFIX
-changetype: modify
-add: aci
-aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,$SUFFIX";)
-aci: (targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,$SUFFIX))")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX";)(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,$SUFFIX";)
-aci: (targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,$SUFFIX";)
-aci: (targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,$SUFFIX";)
-aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,$SUFFIX";)
-aci: (targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,$SUFFIX";)
-aci: (targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,$SUFFIX";)
-
# Group administration
dn: $SUFFIX
diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update
index 3f3b98799acfc7c5ae7218c3de682db35b815d2e..7c3a284b8d2a0592240e56d8118c821a25fc7798 100644
--- a/install/updates/40-delegation.update
+++ b/install/updates/40-delegation.update
@@ -307,14 +307,6 @@ dn: $SUFFIX
replace:aci:'(target = "ldap:///automountkey=*,automountmapname=*,cn=automount,$SUFFIX";)(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,$SUFFIX";)::(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,$SUFFIX";)(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,$SUFFIX";)'
replace:aci:'(target = "ldap:///automountkey=*,automountmapname=*,cn=automount,$SUFFIX";)(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,$SUFFIX";)::(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,$SUFFIX";)(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,$SUFFIX";)'
-# SSH public keys
-dn: cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,$SUFFIX
-default:objectClass: top
-default:objectClass: groupofnames
-default:objectClass: ipapermission
-default:cn: Manage User SSH Public Keys
-default:member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX
-
dn: cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,$SUFFIX
default:objectClass: top
default:objectClass: groupofnames
@@ -323,16 +315,8 @@ dn: cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,$SUFFIX
default:member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX
dn: $SUFFIX
-add:aci:'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,$SUFFIX";)'
-
-dn: $SUFFIX
add:aci:'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,$SUFFIX";)'
-# Limit the change password permission so it can't change the passwords
-# of administrators
-dn: $SUFFIX
-replace:aci:'(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX";)(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,$SUFFIX";)::(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,$SUFFIX))")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX";)(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,$SUFFIX";)'
-
# Don't allow the default 'manage group membership' to be able to manage the
# admins group
replace:aci:'(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,$SUFFIX";)::(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,$SUFFIX";)'
diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py
index 27ad36b7fdbee5b2c0dba10f1c381233e8059150..63f908efd67ef9607654ff67e124cb0fb27f271c 100644
--- a/ipalib/plugins/user.py
+++ b/ipalib/plugins/user.py
@@ -336,6 +336,91 @@ class user(LDAPObject):
'ipapermdefaultattr': {'*'},
'default_privileges': {'User Administrators'},
},
+ 'System: Add Users': {
+ 'ipapermbindruletype': 'permission',
+ 'ipapermright': {'add'},
+ 'replaces': [
+ '(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,$SUFFIX";)',
+ ],
+ 'default_privileges': {'User Administrators'},
+ },
+ 'System: Add User to default group': {
+ 'non_object': True,
+ 'ipapermbindruletype': 'permission',
+ 'ipapermright': {'write'},
+ 'ipapermlocation': DN(api.env.container_group, api.env.basedn),
+ 'ipapermtarget': DN('cn=ipausers', api.env.container_group,
+ api.env.basedn),
+ 'ipapermdefaultattr': {'member'},
+ 'replaces': [
+ '(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,$SUFFIX";)',
+ ],
+ 'default_privileges': {'User Administrators'},
+ },
+ 'System: Change User password': {
+ 'ipapermbindruletype': 'permission',
+ 'ipapermright': {'write'},
+ 'ipapermtargetfilter': [
+ '(objectclass=posixaccount)',
+ '(!(memberOf=%s))' % DN('cn=admins',
+ api.env.container_group,
+ api.env.basedn),
+ ],
+ 'ipapermdefaultattr': {
+ 'krbprincipalkey', 'passwordhistory', 'sambalmpassword',
+ 'sambantpassword', 'userpassword'
+ },
+ 'replaces': [
+ '(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX";)(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,$SUFFIX";)',
+ '(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,$SUFFIX))")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX";)(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,$SUFFIX";)',
+ ],
+ 'default_privileges': {'User Administrators'},
+ },
+ 'System: Manage User SSH Public Keys': {
+ 'ipapermbindruletype': 'permission',
+ 'ipapermright': {'write'},
+ 'ipapermdefaultattr': {'ipasshpubkey'},
+ 'replaces': [
+ '(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,$SUFFIX";)',
+ ],
+ 'default_privileges': {'User Administrators'},
+ },
+ 'System: Modify Users': {
+ 'ipapermbindruletype': 'permission',
+ 'ipapermright': {'write'},
+ 'ipapermdefaultattr': {
+ 'businesscategory', 'carlicense', 'cn', 'description',
+ 'displayname', 'employeetype', 'facsimiletelephonenumber',
+ 'gecos', 'givenname', 'homephone', 'inetuserhttpurl',
+ 'initials', 'l', 'labeleduri', 'loginshell', 'manager',
+ 'mepmanagedentry', 'mobile', 'objectclass', 'ou', 'pager',
+ 'postalcode', 'roomnumber', 'secretary', 'seealso', 'sn', 'st',
+ 'street', 'telephonenumber', 'title'
+ },
+ 'replaces': [
+ '(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,$SUFFIX";)',
+ ],
+ 'default_privileges': {'User Administrators'},
+ },
+ 'System: Remove Users': {
+ 'ipapermbindruletype': 'permission',
+ 'ipapermright': {'delete'},
+ 'replaces': [
+ '(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,$SUFFIX";)',
+ ],
+ 'default_privileges': {'User Administrators'},
+ },
+ 'System: Unlock User': {
+ 'ipapermbindruletype': 'permission',
+ 'ipapermright': {'write'},
+ 'ipapermdefaultattr': {
+ 'krblastadminunlock', 'krbloginfailedcount'
+ },
+ 'replaces': [
+ '(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,$SUFFIX";)',
+ ],
+ 'default_privileges': {'User Administrators'},
+ },
}
label = _('Users')
--
1.9.0
From ac213ca267dbbd1d608d632ea4c5b514f1b11ec4 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <[email protected]>
Date: Wed, 4 Jun 2014 15:35:31 +0200
Subject: [PATCH] Add missing attributes to User managed permissions
- Add nsAccountLock to the Unlock user accounts permission
- Add member to Read User Membership
- Add userClass and preferredLanguage to Modify Users
https://fedorahosted.org/freeipa/ticket/3697
---
ipalib/plugins/user.py | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py
index 63f908efd67ef9607654ff67e124cb0fb27f271c..f7552ea460007f472ae3ed7b54b785e85421c9fb 100644
--- a/ipalib/plugins/user.py
+++ b/ipalib/plugins/user.py
@@ -322,7 +322,7 @@ class user(LDAPObject):
'ipapermbindruletype': 'all',
'ipapermright': {'read', 'search', 'compare'},
'ipapermdefaultattr': {
- 'memberof',
+ 'memberof', 'member',
},
},
'System: Read UPG Definition': {
@@ -395,7 +395,8 @@ class user(LDAPObject):
'initials', 'l', 'labeleduri', 'loginshell', 'manager',
'mepmanagedentry', 'mobile', 'objectclass', 'ou', 'pager',
'postalcode', 'roomnumber', 'secretary', 'seealso', 'sn', 'st',
- 'street', 'telephonenumber', 'title'
+ 'street', 'telephonenumber', 'title', 'userclass',
+ 'preferredlanguage',
},
'replaces': [
'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,$SUFFIX";)',
@@ -414,7 +415,7 @@ class user(LDAPObject):
'ipapermbindruletype': 'permission',
'ipapermright': {'write'},
'ipapermdefaultattr': {
- 'krblastadminunlock', 'krbloginfailedcount'
+ 'krblastadminunlock', 'krbloginfailedcount', 'nsaccountlock',
},
'replaces': [
'(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,$SUFFIX";)',
--
1.9.0
_______________________________________________
Freeipa-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-devel
