On 01/14/2015 10:37 AM, thierry bordaz wrote: > On 01/14/2015 10:15 AM, Petr Viktorin wrote: >> On 01/13/2015 10:52 PM, Martin Kosek wrote: >>> On 01/13/2015 09:55 PM, Simo Sorce wrote: >>>> On Tue, 13 Jan 2015 18:16:11 +0100 >>>> Martin Kosek <mko...@redhat.com> wrote: >>>> >>>>> This is crude first version of the (working) fixes to fix >>>>> Winsync/Passsync problems caused by the PermissionV2 refactoring. >>>>> >>>>> Simo/Petr3 or others, any concerns? >>>>> >>>> >>>> The first patch looks good >>>> the second looks .. broad ? >>>> >>>> Shouldn't you explicitly allow specific attributes ? >>> >>> You mean for: >>> >>> + 'System: Read LDBM database config': { >>> + 'ipapermlocation': DN('cn=config'), >>> + 'ipapermtarget': DN('cn=config,cn=ldbm >>> database,cn=plugins,cn=config'), >>> + 'ipapermbindruletype': 'permission', >>> + 'ipapermright': {'read', 'search', 'compare'}, >>> + 'default_privileges': {'Replication Administrators'}, >>> + 'ipapermdefaultattr': {'*'}, >>> + }, >>> >>> ? I did that as my first try, but then the ACI was not accepted as the >>> attribute I was looking for (nsslapd-changelogdir) is not in the schema >>> as the config is just an extensibleObject. But as I was going through >>> the attributes, I did not see anything super-secret. >>> >>> Petr, is there any way to make permission plugin accept unknown >>> attribute in the permission attribute list, or do we need to use "*" in >>> this case? >> >> The ACL Syntax Error comes straight from the DS, so there's not much IPA can >> do. The error suggests adding nsslapd-changelogdir to the schema, but I'm not >> sure that's the right solution here. >> Thierry, any comments? See the attached LDIF. >> > > > Yes DS acl plugin checks that the named attribute is in the schema. I do not > see the benefit of this limitation I need to dig further. > Now you may define the 'targetattr' with a '*'. Would it be possible to use an > aci syntax like : > > aci: (targetattr = "nsslapd-changelogdir*")(version 3.0;acl "test-aci";allow > (compare,read,search) groupdn = "ldap:///all";) > > thanks > theirry
Maybe, although it looks bit ugly. So far, I just used "*" given the ACIs were quite focused and only for "Replication Administrators" privilege members. Martin _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel