Dne 7.7.2015 v 16:42 Endi Sukma Dewata napsal(a):
----- Original Message -----
On 07/07/2015 10:51 AM, Jan Cholasta wrote:
Dne 3.7.2015 v 15:44 Endi Sukma Dewata napsal(a):
Here is the rebased patch for vault access control.
@@ -356,6 +386,13 @@ class vault(LDAPObject):
+ '(targetfilter="(objectClass=ipaVault)")' +
+ '(version 3.0; ' +
+ 'acl "User can manage private vaults"; ' +
+ 'allow(read, search, compare, add, delete) ' +
+ % owner_dn
# if entry can be added, return
I don't think dynamically creating ACIs with hardcoded userdn is something
want to do. This should be handled by a single ACI in cn=vaults.
+1. Single ACI like
+default: aci: (targetfilter="(objectClass=ipaVault)")(version 3.0; acl
owners can manage the vault"; allow(read, search, compare, write)
you already have there is more preferred.
New patch attached. For this to work the container itself needs an 'owner'
attribute, so I changed the nsContainer into ipaVaultContainer.
I don't think that's really necessary on the top-level containers.
Anyway, the patch works, so ACK.
Pushed to master: bf6df3df9b388753a52a0040d9c15b1eabce41ca
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code