On 01/14/2015 10:15 AM, Petr Viktorin wrote:
On 01/13/2015 10:52 PM, Martin Kosek wrote:
On 01/13/2015 09:55 PM, Simo Sorce wrote:
On Tue, 13 Jan 2015 18:16:11 +0100
Martin Kosek <mko...@redhat.com> wrote:

This is crude first version of the (working) fixes to fix
Winsync/Passsync problems caused by the PermissionV2 refactoring.

Simo/Petr3 or others, any concerns?

The first patch looks good
the second looks .. broad ?

Shouldn't you explicitly allow specific attributes ?

You mean for:

+    'System: Read LDBM database config': {
+        'ipapermlocation': DN('cn=config'),
+        'ipapermtarget': DN('cn=config,cn=ldbm
+        'ipapermbindruletype': 'permission',
+        'ipapermright': {'read', 'search', 'compare'},
+        'default_privileges': {'Replication Administrators'},
+        'ipapermdefaultattr': {'*'},
+    },

? I did that as my first try, but then the ACI was not accepted as the
attribute I was looking for (nsslapd-changelogdir) is not in the schema
as the config is just an extensibleObject. But as I was going through
the attributes, I did not see anything super-secret.

Petr, is there any way to make permission plugin accept unknown
attribute in the permission attribute list, or do we need to use "*" in
this case?

The ACL Syntax Error comes straight from the DS, so there's not much IPA can do. The error suggests adding nsslapd-changelogdir to the schema, but I'm not sure that's the right solution here.
Thierry, any comments? See the attached LDIF.

Actually this limitation was added with the bug https://bugzilla.redhat.com/show_bug.cgi?id=244229. I do not see in the bug, if the ability to define non schema attribute was creating a problem for IPA

Freeipa-devel mailing list

Reply via email to