On 07/07/2015 10:51 AM, Jan Cholasta wrote:
> Dne 3.7.2015 v 15:44 Endi Sukma Dewata napsal(a):
>> Here is the rebased patch for vault access control.
>>
> 
> LGTM, except:
> 
> @@ -356,6 +386,13 @@ class vault(LDAPObject):
>                  {
>                      'objectclass': ['nsContainer'],
>                      'cn': rdn['cn'],
> +                    'aci':
> +                        '(targetfilter="(objectClass=ipaVault)")' +
> +                        '(version 3.0; ' +
> +                        'acl "User can manage private vaults"; ' +
> +                        'allow(read, search, compare, add, delete) ' +
> +                        'userdn="ldap:///%s";;)'
> +                        % owner_dn
>                  })
> 
>              # if entry can be added, return
> 
> I don't think dynamically creating ACIs with hardcoded userdn is something we
> want to do. This should be handled by a single ACI in cn=vaults.

+1. Single ACI like

+default: aci: (targetfilter="(objectClass=ipaVault)")(version 3.0; acl "Vault
owners can manage the vault"; allow(read, search, compare, write)
userattr="owner#USERDN";)

you already have there is more preferred.

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to