On 06/23/2014 03:00 PM, Alexander Bokovoy wrote:
On Mon, 23 Jun 2014, Tomas Babej wrote:
Hi,
this fixes initial findings of trust-after-aci-refactoring
investigation. Consider this effort still WIP (not this patch though).
https://fedorahosted.org/freeipa/ticket/4385
ACK. With this fix we are able to establish trust with git master.
There are some strange errors where Samba libraries may report protocol
version mismatch or AD refuse operating with access denied while AD
administrator account works and creates trusts with rpcclient.
This patch should go in but we are looking to fix the rest.
Hi Tomáš,
I've rebased the patch; there was a change in group ACIs recently.
I've also made the attributes lowercase for consistency.
Does this version still look OK?
--
Petr³
From 265ae0d2675b03957f8d57400039ba1f5932ab23 Mon Sep 17 00:00:00 2001
From: Tomas Babej <[email protected]>
Date: Thu, 19 Jun 2014 12:25:56 +0200
Subject: [PATCH] trusts: Allow reading ipaNTSecurityIdentifier in user and
group objects
https://fedorahosted.org/freeipa/ticket/4385
---
ACI.txt | 4 ++--
ipalib/plugins/group.py | 1 +
ipalib/plugins/user.py | 3 ++-
3 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/ACI.txt b/ACI.txt
index acc38ed325f4e4d352ba81c4813a2f4bd5fa0733..d9eac3db0f906e4de41dabba6f743e5767064c46 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -31,7 +31,7 @@ aci: (targetattr = "a6record || aaaarecord || afsdbrecord || arecord || certreco
dn: cn=System: Read Group Membership,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "member || memberhost || memberof || memberuid || memberuser")(targetfilter = "(|(objectclass=ipausergroup)(objectclass=posixgroup))")(version 3.0;acl "permission:System: Read Group Membership";allow (compare,read,search) userdn = "ldap:///all";;)
dn: cn=System: Read Groups,cn=permissions,cn=pbac,dc=ipa,dc=example
-aci: (targetattr = "businesscategory || cn || description || gidnumber || ipaexternalmember || ipauniqueid || mepmanagedby || o || objectclass || ou || owner || seealso")(targetfilter = "(|(objectclass=ipausergroup)(objectclass=posixgroup))")(version 3.0;acl "permission:System: Read Groups";allow (compare,read,search) userdn = "ldap:///anyone";;)
+aci: (targetattr = "businesscategory || cn || description || gidnumber || ipaexternalmember || ipantsecurityidentifier || ipauniqueid || mepmanagedby || o || objectclass || ou || owner || seealso")(targetfilter = "(|(objectclass=ipausergroup)(objectclass=posixgroup))")(version 3.0;acl "permission:System: Read Groups";allow (compare,read,search) userdn = "ldap:///anyone";;)
dn: cn=System: Read HBAC Rules,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "accessruletype || accesstime || cn || description || externalhost || hostcategory || ipaenabledflag || ipauniqueid || member || memberhost || memberservice || memberuser || objectclass || servicecategory || sourcehost || sourcehostcategory || usercategory")(targetfilter = "(objectclass=ipahbacrule)")(version 3.0;acl "permission:System: Read HBAC Rules";allow (compare,read,search) userdn = "ldap:///all";;)
dn: cn=System: Read HBAC Services,cn=permissions,cn=pbac,dc=ipa,dc=example
@@ -135,7 +135,7 @@ aci: (targetattr = "krblastadminunlock || krblastfailedauth || krblastpwdchange
dn: cn=System: Read User Membership,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "memberof")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read User Membership";allow (compare,read,search) userdn = "ldap:///all";;)
dn: cn=System: Read User Standard Attributes,cn=permissions,cn=pbac,dc=ipa,dc=example
-aci: (targetattr = "cn || description || displayname || gecos || gidnumber || givenname || homedirectory || initials || loginshell || manager || objectclass || sn || title || uid || uidnumber")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read User Standard Attributes";allow (compare,read,search) userdn = "ldap:///anyone";;)
+aci: (targetattr = "cn || description || displayname || gecos || gidnumber || givenname || homedirectory || initials || ipantsecurityidentifier || loginshell || manager || objectclass || sn || title || uid || uidnumber")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read User Standard Attributes";allow (compare,read,search) userdn = "ldap:///anyone";;)
dn: cn=System: Remove Users,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Remove Users";allow (delete) groupdn = "ldap:///cn=System: Remove Users,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Unlock User,cn=permissions,cn=pbac,dc=ipa,dc=example
diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py
index d130f86686e17b8e3cdc5fafabc64fdde4f2dfc4..1ca149035bf987f30003f8ab240feca2dcc72b80 100644
--- a/ipalib/plugins/group.py
+++ b/ipalib/plugins/group.py
@@ -150,6 +150,7 @@ class group(LDAPObject):
'businesscategory', 'cn', 'description', 'gidnumber',
'ipaexternalmember', 'ipauniqueid', 'mepmanagedby', 'o',
'objectclass', 'ou', 'owner', 'seealso',
+ 'ipantsecurityidentifier'
},
},
'System: Read Group Membership': {
diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py
index 2ffc1ef4bd873db4a3d5d3156d9a839b0b8f2881..f646e85827bba4544f962c36f5f15c2a89cb2d75 100644
--- a/ipalib/plugins/user.py
+++ b/ipalib/plugins/user.py
@@ -266,7 +266,8 @@ class user(LDAPObject):
'ipapermdefaultattr': {
'objectclass', 'cn', 'sn', 'description', 'title', 'uid',
'displayname', 'givenname', 'initials', 'manager', 'gecos',
- 'gidnumber', 'homedirectory', 'loginshell', 'uidnumber'
+ 'gidnumber', 'homedirectory', 'loginshell', 'uidnumber',
+ 'ipantsecurityidentifier'
},
},
'System: Read User Addressbook Attributes': {
--
1.9.3
_______________________________________________
Freeipa-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-devel
