On 01/14/2015 10:37 AM, thierry bordaz wrote:
> On 01/14/2015 10:15 AM, Petr Viktorin wrote:
>> On 01/13/2015 10:52 PM, Martin Kosek wrote:
>>> On 01/13/2015 09:55 PM, Simo Sorce wrote:
>>>> On Tue, 13 Jan 2015 18:16:11 +0100
>>>> Martin Kosek <mko...@redhat.com> wrote:
>>>>
>>>>> This is crude first version of the (working) fixes to fix
>>>>> Winsync/Passsync problems caused by the PermissionV2 refactoring.
>>>>>
>>>>> Simo/Petr3 or others, any concerns?
>>>>>
>>>>
>>>> The first patch looks good
>>>> the second looks .. broad ?
>>>>
>>>> Shouldn't you explicitly allow specific attributes ?
>>>
>>> You mean for:
>>>
>>> + 'System: Read LDBM database config': {
>>> + 'ipapermlocation': DN('cn=config'),
>>> + 'ipapermtarget': DN('cn=config,cn=ldbm
>>> database,cn=plugins,cn=config'),
>>> + 'ipapermbindruletype': 'permission',
>>> + 'ipapermright': {'read', 'search', 'compare'},
>>> + 'default_privileges': {'Replication Administrators'},
>>> + 'ipapermdefaultattr': {'*'},
>>> + },
>>>
>>> ? I did that as my first try, but then the ACI was not accepted as the
>>> attribute I was looking for (nsslapd-changelogdir) is not in the schema
>>> as the config is just an extensibleObject. But as I was going through
>>> the attributes, I did not see anything super-secret.
>>>
>>> Petr, is there any way to make permission plugin accept unknown
>>> attribute in the permission attribute list, or do we need to use "*" in
>>> this case?
>>
>> The ACL Syntax Error comes straight from the DS, so there's not much IPA can
>> do. The error suggests adding nsslapd-changelogdir to the schema, but I'm not
>> sure that's the right solution here.
>> Thierry, any comments? See the attached LDIF.
>>
>
>
> Yes DS acl plugin checks that the named attribute is in the schema. I do not
> see the benefit of this limitation I need to dig further.
> Now you may define the 'targetattr' with a '*'. Would it be possible to use an
> aci syntax like :
>
> aci: (targetattr = "nsslapd-changelogdir*")(version 3.0;acl "test-aci";allow
> (compare,read,search) groupdn = "ldap:///all";;)
>
> thanks
> theirry
Maybe, although it looks bit ugly. So far, I just used "*" given the ACIs were
quite focused and only for "Replication Administrators" privilege members.
Martin
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
