Dne 7.7.2015 v 16:42 Endi Sukma Dewata napsal(a):
----- Original Message -----
On 07/07/2015 10:51 AM, Jan Cholasta wrote:
Dne 3.7.2015 v 15:44 Endi Sukma Dewata napsal(a):
Here is the rebased patch for vault access control.
LGTM, except:
@@ -356,6 +386,13 @@ class vault(LDAPObject):
{
'objectclass': ['nsContainer'],
'cn': rdn['cn'],
+ 'aci':
+ '(targetfilter="(objectClass=ipaVault)")' +
+ '(version 3.0; ' +
+ 'acl "User can manage private vaults"; ' +
+ 'allow(read, search, compare, add, delete) ' +
+ 'userdn="ldap:///%s";)'
+ % owner_dn
})
# if entry can be added, return
I don't think dynamically creating ACIs with hardcoded userdn is something
we
want to do. This should be handled by a single ACI in cn=vaults.
+1. Single ACI like
+default: aci: (targetfilter="(objectClass=ipaVault)")(version 3.0; acl
"Vault
owners can manage the vault"; allow(read, search, compare, write)
userattr="owner#USERDN";)
you already have there is more preferred.
New patch attached. For this to work the container itself needs an 'owner'
attribute, so I changed the nsContainer into ipaVaultContainer.
I don't think that's really necessary on the top-level containers.
Anyway, the patch works, so ACK.
Pushed to master: bf6df3df9b388753a52a0040d9c15b1eabce41ca
--
Jan Cholasta
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code