On 24.2.2016 15:43, Martin Basti wrote:

On 24.02.2016 13:36, Jan Cholasta wrote:
On 24.2.2016 13:07, Martin Basti wrote:

On 24.02.2016 10:45, Jan Cholasta wrote:
On 23.2.2016 17:20, Martin Basti wrote:

On 22.02.2016 09:00, Jan Cholasta wrote:

On 17.2.2016 14:49, Martin Basti wrote:

Patch attached (for master, 4.3, 4.2)

1) All the replication agreement permission ACIs should be located in
the same entry. Currently "Read Replication Agreements" is in
"cn=config" and everything else in "cn=mapping tree,cn=config", so I
guess "cn=mapping tree,cn=config" makes more sense.

2) Instead of literal DN('cn=permissions,cn=pbac'), use

3) IMO the removal of managed permission attributes could be a little
bit more robust. You should check that the original entry contains
the required values before touching it (objectclass=ipapermissionv2,
ipapermissiontype=V2, ipapermissiontype=MANAGED) and remove only the
values that need to be removed, instead of just overwriting


Updated patch attached.

The patch does not apply on ipa-4-2.

I will send it later.

Also this bit in replica-acis.ldif is redundant:

+dn: cn=mapping tree,cn=config
+changetype: modify
+add: aci
All related ACIs to replication are in both replica-acis.ldif and
I just do not want to mess it more than it is.

What I'm trying to say is that:

    dn: cn=mapping tree,cn=config
    changetype: modify
    add: aci
    aci: $ACI1

    dn: cn=mapping tree,cn=config
    changetype: modify
    add: aci
    aci: $ACI2

is the same as:

    dn: cn=mapping tree,cn=config
    changetype: modify
    add: aci
    aci: $ACI1
    aci: $ACI2

. You actually have it right in 20-aci.update, but not in

I made it in that way to keep consistency in the replica-acis.ldif file.

I see. I missed that.

Patch for 4-2 added

Thanks, ACK.

Pushed to:
master: bba2355631c4cbadfb5089663c2a3af65a817fb7
ipa-4-2: de7ec77ea8811a6add2eab5d0853686484ae732c
ipa-4-3: 2bac05a18720c4ab84bc1de5573d3d96e73ddc55

Jan Cholasta

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to