Re: [Freeipa-devel] [PATCH 0303] ipalib: Make sure correct attribute name is referenced for

Thu, 19 Feb 2015 08:56:24 -0800 


On 02/19/2015 05:45 PM, Martin Kosek wrote:

On 02/19/2015 05:40 PM, Alexander Bokovoy wrote:

On Thu, 19 Feb 2015, Tomas Babej wrote:

On 02/19/2015 05:32 PM, Martin Kosek wrote:

On 02/19/2015 05:29 PM, Alexander Bokovoy wrote:

On Thu, 19 Feb 2015, Tomas Babej wrote:

Hi,

Fixes the invalid attribute name reference in the
'System: Read User Addressbook Attributes' permission.

https://fedorahosted.org/freeipa/ticket/4883

Tomas

 From 93ab1bf897151992df4bd3588386cf8fed4849d2 Mon Sep 17 00:00:00 2001

From: Tomas Babej <tba...@redhat.com>
Date: Thu, 19 Feb 2015 17:10:37 +0100
Subject: [PATCH] ipalib: Make sure correct attribute name is referenced for
fax

Fixes the invalid attribute name reference in the
'System: Read User Addressbook Attributes' permission.

https://fedorahosted.org/freeipa/ticket/4883
---
ipalib/plugins/user.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py
index
56585b9f86593c0c5879139103bc71707b88e15f..abe5ee26b8e48681eeb0cbb3bcff8617e212225c

100644
--- a/ipalib/plugins/user.py
+++ b/ipalib/plugins/user.py
@@ -276,7 +276,7 @@ class user(LDAPObject):
             'ipapermright': {'read', 'search', 'compare'},
             'ipapermdefaultattr': {
                 'seealso', 'telephonenumber',
-                'fax', 'l', 'ou', 'st', 'postalcode', 'street',
+                'facsimiletelephonenumber', 'l', 'ou', 'st', 'postalcode',
'street',
                 'destinationindicator', 'internationalisdnnumber',
                 'physicaldeliveryofficename', 'postaladdress',
'postofficebox',
                 'preferreddeliverymethod', 'registeredaddress',

00core.ldif still contains 'fax' definition as an alias to
'facsimileTelephoneNumber' so strictly speaking both should be allowed
even though 'fax' attribute name is deprecated.

Should, but does not (I tested). This may be a gap in DS ACI evaluation.
However, for FreeIPA side, I prefer Tomas' change, even for compatibility with
other DS-es - so ACK from me.

Martin is right, however, I think Alexander was pointing out that we should
support the deprecated name 'fax', as well as 'facsimileTelephoneNumber'
directly in the 'System: Read User Addressbook Attributes' read permission.

Am I reading this correctly?

Exactly, both names should be supported in the ACI.

Ah, I thought you were referring to DS, not being to able to recognize the
alias. Although following this logic, we should for example also have ACIs for
commonName, given it's alias for "cn", right?


Attaching updated patch with both fax and facsimileTelephoneNumber.

However, Martin is right, the problem occurs multiple times:

attributeTypes: ( 2.5.4.6 NAME ( 'c' 'countryName' )
attributeTypes: ( 2.5.4.3 NAME ( 'cn' 'commonName' )
attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' )
attributeTypes: ( 2.5.4.49 NAME ( 'distinguishedName' 'dn' )
attributeTypes: ( 2.5.4.23 NAME ( 'facsimileTelephoneNumber' 'fax' )
attributeTypes: ( 2.5.4.7 NAME ( 'l' 'locality' 'localityname' )
attributeTypes: ( 2.5.4.10 NAME ( 'o' 'organizationname' )
attributeTypes: ( 2.5.4.11 NAME ( 'ou' 'organizationalUnitName' )
attributeTypes: ( 2.5.4.4 NAME ( 'sn' 'surName' )
attributeTypes: ( 2.5.4.8 NAME ( 'st' 'stateOrProvinceName' )
attributeTypes: ( 2.5.4.9 NAME ( 'street' 'streetaddress' )
attributeTypes: ( 0.9.2342.19200300.100.1.1 NAME ( 'uid' 'userid' )



>From 519a9a2100ee2795c18f6c5578527bd4605174af Mon Sep 17 00:00:00 2001
From: Tomas Babej <tba...@redhat.com>
Date: Thu, 19 Feb 2015 17:10:37 +0100
Subject: [PATCH] ipalib: Make sure correct attribute name is referenced for
 fax

Fixes the invalid attribute name reference in the
'System: Read User Addressbook Attributes' permission.

https://fedorahosted.org/freeipa/ticket/4883
---
 ACI.txt                | 2 +-
 ipalib/plugins/user.py | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/ACI.txt b/ACI.txt
index c5483ad4d3428c0449f3e099600e0384e573f17a..6d0e87cbcfe67cd383b3070a1b4c51d1749da1ca 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -257,7 +257,7 @@ aci: (targetattr = "businesscategory || carlicense || cn || description || displ
 dn: cn=UPG Definition,cn=Definitions,cn=Managed Entries,cn=etc,dc=ipa,dc=example
 aci: (targetattr = "*")(target = "ldap:///cn=UPG Definition,cn=Definitions,cn=Managed Entries,cn=etc,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read UPG Definition";allow (compare,read,search) groupdn = "ldap:///cn=System: Read UPG Definition,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=users,cn=accounts,dc=ipa,dc=example
-aci: (targetattr = "audio || businesscategory || carlicense || departmentnumber || destinationindicator || employeenumber || employeetype || fax || homephone || homepostaladdress || inetuserhttpurl || inetuserstatus || internationalisdnnumber || jpegphoto || l || labeleduri || mail || mobile || o || ou || pager || photo || physicaldeliveryofficename || postaladdress || postalcode || postofficebox || preferreddeliverymethod || preferredlanguage || registeredaddress || roomnumber || secretary || seealso || st || street || telephonenumber || teletexterminalidentifier || telexnumber || usercertificate || usersmimecertificate || x121address || x500uniqueidentifier")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read User Addressbook Attributes";allow (compare,read,search) userdn = "ldap:///all";;)
+aci: (targetattr = "audio || businesscategory || carlicense || departmentnumber || destinationindicator || employeenumber || employeetype || facsimiletelephonenumber || fax || homephone || homepostaladdress || inetuserhttpurl || inetuserstatus || internationalisdnnumber || jpegphoto || l || labeleduri || mail || mobile || o || ou || pager || photo || physicaldeliveryofficename || postaladdress || postalcode || postofficebox || preferreddeliverymethod || preferredlanguage || registeredaddress || roomnumber || secretary || seealso || st || street || telephonenumber || teletexterminalidentifier || telexnumber || usercertificate || usersmimecertificate || x121address || x500uniqueidentifier")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read User Addressbook Attributes";allow (compare,read,search) userdn = "ldap:///all";;)
 dn: dc=ipa,dc=example
 aci: (targetattr = "cn || createtimestamp || entryusn || gecos || gidnumber || homedirectory || loginshell || modifytimestamp || objectclass || uid || uidnumber")(target = "ldap:///cn=users,cn=compat,dc=ipa,dc=example";)(version 3.0;acl "permission:System: Read User Compat Tree";allow (compare,read,search) userdn = "ldap:///anyone";;)
 dn: cn=users,cn=accounts,dc=ipa,dc=example
diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py
index 56585b9f86593c0c5879139103bc71707b88e15f..666ef1f4d4fdef4fc6edcf01ffd10336a527befc 100644
--- a/ipalib/plugins/user.py
+++ b/ipalib/plugins/user.py
@@ -275,8 +275,8 @@ class user(LDAPObject):
             'ipapermbindruletype': 'all',
             'ipapermright': {'read', 'search', 'compare'},
             'ipapermdefaultattr': {
-                'seealso', 'telephonenumber',
-                'fax', 'l', 'ou', 'st', 'postalcode', 'street',
+                'seealso', 'telephonenumber', 'fax',
+                'facsimiletelephonenumber', 'l', 'ou', 'st', 'postalcode', 'street',
                 'destinationindicator', 'internationalisdnnumber',
                 'physicaldeliveryofficename', 'postaladdress', 'postofficebox',
                 'preferreddeliverymethod', 'registeredaddress',
-- 
2.1.0


_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to