On 13.10.2015 10:18, Jan Cholasta wrote:
Hi,

the attached patch fixes <https://fedorahosted.org/freeipa/ticket/5361>.

Honza

Decided to use a slightly different approach, updated patch attached.

--
Jan Cholasta
From cda42f4388e2c8b20294b246ac973c1c3e011944 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Tue, 13 Oct 2015 10:10:48 +0200
Subject: [PATCH] vault: fix private service vault creation

https://fedorahosted.org/freeipa/ticket/5361
---
 install/updates/40-vault.update | 3 ++-
 ipalib/plugins/vault.py         | 4 ++--
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/install/updates/40-vault.update b/install/updates/40-vault.update
index 3daea5b..8d03f34 100644
--- a/install/updates/40-vault.update
+++ b/install/updates/40-vault.update
@@ -7,8 +7,9 @@ remove: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0
 remove: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Indirect vault members can access the vault"; allow(read, search, compare) userattr="member#GROUPDN";)
 remove: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Vault owners can manage the vault"; allow(read, search, compare, write) userattr="owner#USERDN";)
 remove: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Indirect vault owners can manage the vault"; allow(read, search, compare, write) userattr="owner#GROUPDN";)
+remove: aci: (target="ldap:///cn=*,cn=services,cn=vaults,cn=kra,$SUFFIX";)(targetfilter="(objectClass=ipaVaultContainer)")(version 3.0; acl "Allow services to create private container"; allow(add) userdn="ldap:///krbprincipalname=($$attr.cn)@$REALM,cn=services,cn=accounts,$SUFFIX" and userattr="owner#SELFDN";)
 addifexist: aci: (target="ldap:///cn=*,cn=users,cn=vaults,cn=kra,$SUFFIX";)(targetfilter="(objectClass=ipaVaultContainer)")(version 3.0; acl "Allow users to create private container"; allow(add) userdn="ldap:///uid=($$attr.cn),cn=users,cn=accounts,$SUFFIX" and userattr="owner#SELFDN";)
-addifexist: aci: (target="ldap:///cn=*,cn=services,cn=vaults,cn=kra,$SUFFIX";)(targetfilter="(objectClass=ipaVaultContainer)")(version 3.0; acl "Allow services to create private container"; allow(add) userdn="ldap:///krbprincipalname=($$attr.cn)@$REALM,cn=services,cn=accounts,$SUFFIX" and userattr="owner#SELFDN";)
+addifexist: aci: (target="ldap:///cn=*,cn=services,cn=vaults,cn=kra,$SUFFIX";)(targetfilter="(objectClass=ipaVaultContainer)")(version 3.0; acl "Allow services to create private container"; allow(add) userdn="ldap:///krbprincipalname=($$attr.cn),cn=services,cn=accounts,$SUFFIX" and userattr="owner#SELFDN";)
 addifexist: aci: (targetfilter="(objectClass=ipaVaultContainer)")(targetattr="objectClass || cn || description || owner")(version 3.0; acl "Container owners can access the container"; allow(read, search, compare) userattr="owner#USERDN";)
 addifexist: aci: (targetfilter="(objectClass=ipaVaultContainer)")(targetattr="objectClass || cn || description || owner")(version 3.0; acl "Indirect container owners can access the container"; allow(read, search, compare) userattr="owner#GROUPDN";)
 addifexist: aci: (targetfilter="(objectClass=ipaVaultContainer)")(targetattr="objectClass || cn || description")(version 3.0; acl "Container owners can manage the container"; allow(write, delete) userattr="owner#USERDN";)
diff --git a/ipalib/plugins/vault.py b/ipalib/plugins/vault.py
index b5bd50b..f94bf9d 100644
--- a/ipalib/plugins/vault.py
+++ b/ipalib/plugins/vault.py
@@ -400,7 +400,7 @@ class vaultcontainer(LDAPObject):
 
             (name, realm) = split_principal(principal)
             if '/' in name:
-                service = name
+                service = principal
             else:
                 user = name
 
@@ -718,7 +718,7 @@ class vault(LDAPObject):
 
             (name, realm) = split_principal(principal)
             if '/' in name:
-                service = name
+                service = principal
             else:
                 user = name
 
-- 
2.4.3

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to