Re: [Freeipa-devel] [PATCH] 477 Add Modify Realm Domains permission

Petr Spacek Fri, 04 Jul 2014 03:10:56 -0700

On 4.7.2014 10:08, Martin Kosek wrote:

On 07/04/2014 10:00 AM, Petr Spacek wrote:

On 4.7.2014 09:34, Martin Kosek wrote:

The permission is required for DNS Administrators as realm domains
object is updated when a master zone is added.


https://fedorahosted.org/freeipa/ticket/4423


I can't resist ;-)

NACK: Build failed.

--- existing ACI.txt
+++ new result
@@ -154,6 +154,8 @@
  aci: (targetattr = "krbmaxpwdlife || krbminpwdlife ||
krbpwdfailurecountinterval || krbpwdhistorylength || krbpwdlockoutduration ||
krbpwdmaxfailure || krbpwdmindiffchars || krbpwdminlength")(targetfilter =
"(objectclass=krbpwdpolicy)")(version 3.0;acl "permission:System: Modify Group
Password Policy";allow (write) groupdn = "ldap:///cn=System: Modify Group
Password Policy,cn=permissions,cn=pbac,dc=ipa,dc=example";)
  dn: cn=System: Read Group Password
Policy,cn=permissions,cn=pbac,dc=ipa,dc=example
  aci: (targetattr = "cn || cospriority || krbmaxpwdlife || krbminpwdlife ||
krbpwdfailurecountinterval || krbpwdhistorylength || krbpwdlockoutduration ||
krbpwdmaxfailure || krbpwdmindiffchars || krbpwdminlength ||
objectclass")(targetfilter = "(objectclass=krbpwdpolicy)")(version 3.0;acl
"permission:System: Read Group Password Policy";allow (compare,read,search)
groupdn = "ldap:///cn=System: Read Group Password
Policy,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=System: Modify Realm Domains,cn=permissions,cn=pbac,dc=ipa,dc=example
+aci: (targetattr = "associateddomain")(targetfilter =
"(objectclass=domainrelatedobject)")(version 3.0;acl "permission:System: Modify
Realm Domains";allow (write) groupdn = "ldap:///cn=System: Modify Realm
Domains,cn=permissions,cn=pbac,dc=ipa,dc=example";)
  dn: cn=System: Read Realm Domains,cn=permissions,cn=pbac,dc=ipa,dc=example
  aci: (targetattr = "associateddomain || cn || objectclass")(targetfilter =
"(objectclass=domainrelatedobject)")(version 3.0;acl "permission:System: Read
Realm Domains";allow (compare,read,search) userdn = "ldap:///all";;)
  dn: cn=System: Add Roles,cn=permissions,cn=pbac,dc=ipa,dc=example

Managed permission ACI validation failed.
Re-check permission changes and run `makeaci`.
ACI.txt validation failed


Oh, well - here is an updated patch.

ACK from functional perspective. I'm not able to reproduce the problem withthe patch applied. I have tested clean installation and also upgrade from 3.3.5.


It can be pushed if there is no problem on Python side of things.

--
Petr^2 Spacek

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 477 Add Modify Realm Domains permission

Reply via email to