On 06/24/2016 03:14 PM, Martin Basti wrote:



On 24.06.2016 15:11, Sumit Bose wrote:
On Tue, Jun 21, 2016 at 02:25:49PM -0400, Nathaniel McCallum wrote:
https://fedorahosted.org/freeipa/ticket/433
The patch works for me as expected, but the API.txt update is missing in
the patch.

bye,
Sumit

There are no updated managed permissions for krbprincipalauthind attribute in hosts.py, is this omitted on purpose?
Martin^2

The attached patch adds them should these be required.


From becd1e2d284dcd98a2ba35fcd68e0f9354f0a365 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka <slazn...@redhat.com>
Date: Wed, 29 Jun 2016 15:45:28 +0200
Subject: [PATCH] Added permissions for auth. indicators read/modify

Added permissions for Kerberos authentication indicators reading and
modifying to host and service objects.

https://fedorahosted.org/freeipa/ticket/433
---
 ipaserver/plugins/host.py    | 3 ++-
 ipaserver/plugins/service.py | 4 ++--
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py
index 1091f85748d675c479285ad73465aa9541c61b45..be4a1711f3d6b7ee3bc12cbee1c705a9067f73b2 100644
--- a/ipaserver/plugins/host.py
+++ b/ipaserver/plugins/host.py
@@ -333,7 +333,7 @@ class host(LDAPObject):
                 'enrolledby', 'managedby', 'ipaassignedidview',
                 'krbprincipalname', 'krbcanonicalname', 'krbprincipalaliases',
                 'krbprincipalexpiration', 'krbpasswordexpiration',
-                'krblastpwdchange',
+                'krblastpwdchange', 'krbprincipalauthind',
             },
         },
         'System: Read Host Membership': {
@@ -411,6 +411,7 @@ class host(LDAPObject):
             'ipapermdefaultattr': {
                 'description', 'l', 'nshardwareplatform', 'nshostlocation',
                 'nsosversion', 'macaddress', 'userclass', 'ipaassignedidview',
+                'krbprincipalauthind',
             },
             'replaces': [
                 '(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,$SUFFIX";)',
diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py
index 701314f8d9f2ac14c2b92fea1b75c7bf1754dac3..bc5bf529b45568d63e2a5b99906a7755d4ac8d40 100644
--- a/ipaserver/plugins/service.py
+++ b/ipaserver/plugins/service.py
@@ -437,7 +437,7 @@ class service(LDAPObject):
                 'krbprincipalname', 'krbcanonicalname', 'krbprincipalaliases',
                 'krbprincipalexpiration', 'krbpasswordexpiration',
                 'krblastpwdchange', 'ipakrbauthzdata', 'ipakrbprincipalalias',
-                'krbobjectreferences',
+                'krbobjectreferences', 'krbprincipalauthind',
             },
         },
         'System: Add Services': {
@@ -465,7 +465,7 @@ class service(LDAPObject):
         },
         'System: Modify Services': {
             'ipapermright': {'write'},
-            'ipapermdefaultattr': {'usercertificate'},
+            'ipapermdefaultattr': {'usercertificate', 'krbprincipalauthind'},
             'replaces': [
                 '(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,$SUFFIX";)',
             ],
-- 
2.5.5

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to