On 1 August 2013 09:36, Martin Kosek <[email protected]> wrote: > > > The patch for this would do basically this: > - remove the following aci: > (targetattr != aci)(version 3.0; aci "replica admins read access"; allow > (read, > search, compare) groupdn = "ldap:///cn=Modify Replication > Agreements,cn=permissions,cn=pbac,$SUFFIX";) > ... from installer and from LDAP as it is too general > - add new permission ACI like this: > > (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version > 3.0; acl "permission:Read Replication Agreements"; allow (read, search, > compare) groupdn = "ldap:///cn=Read Replication > Agreements,cn=permissions,cn=pbac,$SUFFIX";) > - make sure that "Replication Administrators" privilege has it assigned. > > I created an upstream ticket to track this effort: > https://fedorahosted.org/freeipa/ticket/3829 > > Reading the upstream documentation I'm wondering if it'd be sensible to include an additional ACI in replica-acis.ldif of: dn: $SUFFIX changetype: modify add: aci aci: (targetattr=dn nsDS5ReplConflict nsUniqureID)(targetfilter="(|(objectclass=nsTombstone)(nsDS5ReplConflict=*))")((version 3.0; aci "conflict read access"; allow (read, search, compare) groupdn = "ldap:///cn=Read Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
>From the upstream documentation here: https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html-single/Configuration_Command_and_File_Reference/index.html#Replication_Attributes_under_cnreplica_cnsuffixName_cnmapping_tree_cnconfig This would allow a user with Read Replication Agreements permission to be able to search for conflicts or tombstone records which would seem sane from a monitoring point of view... What do you think? Also just to confirm the only thing I need to do with ACIs like this is to update the ldif (delegation.ldif and replica-acis.ldif) with the new role/privilege/permission and acis in install/share for the new installs and add an appropriate entry (not quite ldif) in install/updates to update the default schema of those updating in future, given no new attributes - right? Cheers, James
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
