On 06/29/2016 03:53 PM, Martin Basti wrote:



On 29.06.2016 15:52, Stanislav Laznicka wrote:
On 06/24/2016 03:14 PM, Martin Basti wrote:


On 24.06.2016 15:11, Sumit Bose wrote:
On Tue, Jun 21, 2016 at 02:25:49PM -0400, Nathaniel McCallum wrote:
https://fedorahosted.org/freeipa/ticket/433
The patch works for me as expected, but the API.txt update is missing in
the patch.

bye,
Sumit

There are no updated managed permissions for krbprincipalauthind attribute in hosts.py, is this omitted on purpose?
Martin^2

The attached patch adds them should these be required.



Then we also needs patch for services.py, because there are missing ACIs too

Martin^2

It was already included but let me separate it in two patches, then.

From d05969e29aa190602ae9f90c6e6161e517b0ad0d Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka <slazn...@redhat.com>
Date: Wed, 29 Jun 2016 15:56:55 +0200
Subject: [PATCH 1/2] host: Added permissions for auth. indicators read/modify

Added permissions for Kerberos authentication indicators reading and
modifying to host objects.

https://fedorahosted.org/freeipa/ticket/433
---
 ipaserver/plugins/host.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py
index 0072431de3f130d09066100f12d9fcb34e9fb96b..c54439e9b55de85d871241083ccb512cc1a88f29 100644
--- a/ipaserver/plugins/host.py
+++ b/ipaserver/plugins/host.py
@@ -333,7 +333,7 @@ class host(LDAPObject):
                 'enrolledby', 'managedby', 'ipaassignedidview',
                 'krbprincipalname', 'krbcanonicalname', 'krbprincipalaliases',
                 'krbprincipalexpiration', 'krbpasswordexpiration',
-                'krblastpwdchange',
+                'krblastpwdchange', 'krbprincipalauthind',
             },
         },
         'System: Read Host Membership': {
@@ -411,6 +411,7 @@ class host(LDAPObject):
             'ipapermdefaultattr': {
                 'description', 'l', 'nshardwareplatform', 'nshostlocation',
                 'nsosversion', 'macaddress', 'userclass', 'ipaassignedidview',
+                'krbprincipalauthind',
             },
             'replaces': [
                 '(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,$SUFFIX";)',
-- 
2.5.5

From 3a503b91680b49afc5bc0ba39ec5451f5b0352a1 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka <slazn...@redhat.com>
Date: Wed, 29 Jun 2016 15:58:07 +0200
Subject: [PATCH 2/2] service: Added permissions for auth. indicators
 read/modify

Added permissions for Kerberos authentication indicators reading and
modifying to service objects.
---
 ipaserver/plugins/service.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py
index 701314f8d9f2ac14c2b92fea1b75c7bf1754dac3..bc5bf529b45568d63e2a5b99906a7755d4ac8d40 100644
--- a/ipaserver/plugins/service.py
+++ b/ipaserver/plugins/service.py
@@ -437,7 +437,7 @@ class service(LDAPObject):
                 'krbprincipalname', 'krbcanonicalname', 'krbprincipalaliases',
                 'krbprincipalexpiration', 'krbpasswordexpiration',
                 'krblastpwdchange', 'ipakrbauthzdata', 'ipakrbprincipalalias',
-                'krbobjectreferences',
+                'krbobjectreferences', 'krbprincipalauthind',
             },
         },
         'System: Add Services': {
@@ -465,7 +465,7 @@ class service(LDAPObject):
         },
         'System: Modify Services': {
             'ipapermright': {'write'},
-            'ipapermdefaultattr': {'usercertificate'},
+            'ipapermdefaultattr': {'usercertificate', 'krbprincipalauthind'},
             'replaces': [
                 '(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,$SUFFIX";)',
             ],
-- 
2.5.5

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to