Dne 7.7.2015 v 16:42 Endi Sukma Dewata napsal(a):
----- Original Message -----
On 07/07/2015 10:51 AM, Jan Cholasta wrote:
Dne 3.7.2015 v 15:44 Endi Sukma Dewata napsal(a):
Here is the rebased patch for vault access control.

LGTM, except:

@@ -356,6 +386,13 @@ class vault(LDAPObject):
                      'objectclass': ['nsContainer'],
                      'cn': rdn['cn'],
+                    'aci':
+                        '(targetfilter="(objectClass=ipaVault)")' +
+                        '(version 3.0; ' +
+                        'acl "User can manage private vaults"; ' +
+                        'allow(read, search, compare, add, delete) ' +
+                        'userdn="ldap:///%s";;)'
+                        % owner_dn

              # if entry can be added, return

I don't think dynamically creating ACIs with hardcoded userdn is something
want to do. This should be handled by a single ACI in cn=vaults.

+1. Single ACI like

+default: aci: (targetfilter="(objectClass=ipaVault)")(version 3.0; acl
owners can manage the vault"; allow(read, search, compare, write)

you already have there is more preferred.

New patch attached. For this to work the container itself needs an 'owner' 
attribute, so I changed the nsContainer into ipaVaultContainer.

I don't think that's really necessary on the top-level containers.

Anyway, the patch works, so ACK.

Pushed to master: bf6df3df9b388753a52a0040d9c15b1eabce41ca

Jan Cholasta

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to