On 08/01/2013 03:56 PM, James Hogarth wrote: > On 1 August 2013 09:36, Martin Kosek <mko...@redhat.com> wrote: >> >> >> The patch for this would do basically this: >> - remove the following aci: >> (targetattr != aci)(version 3.0; aci "replica admins read access"; allow >> (read, >> search, compare) groupdn = "ldap:///cn=Modify Replication >> Agreements,cn=permissions,cn=pbac,$SUFFIX";) >> ... from installer and from LDAP as it is too general >> - add new permission ACI like this: >> >> (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version >> 3.0; acl "permission:Read Replication Agreements"; allow (read, search, >> compare) groupdn = "ldap:///cn=Read Replication >> Agreements,cn=permissions,cn=pbac,$SUFFIX";) >> - make sure that "Replication Administrators" privilege has it assigned. >> >> I created an upstream ticket to track this effort: >> https://fedorahosted.org/freeipa/ticket/3829 >> >> > Reading the upstream documentation I'm wondering if it'd be sensible to > include an additional ACI in replica-acis.ldif of: > dn: $SUFFIX > changetype: modify > add: aci > aci: (targetattr=dn nsDS5ReplConflict > nsUniqureID)(targetfilter="(|(objectclass=nsTombstone)(nsDS5ReplConflict=*))")((version > 3.0; aci "conflict read access"; allow (read, search, compare) groupdn = > "ldap:///cn=Read Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";) > > From the upstream documentation here: > https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html-single/Configuration_Command_and_File_Reference/index.html#Replication_Attributes_under_cnreplica_cnsuffixName_cnmapping_tree_cnconfig > > This would allow a user with Read Replication Agreements permission to be > able to search for conflicts or tombstone records which would seem sane > from a monitoring point of view... > > What do you think?
I think it would make sense, but IMO it should have a separate permission named "Read Replication Conflicts" - this would also need the aci to be named "permission:Read Replication Conflicts" to let IPA couple it with the actual ACI. > Also just to confirm the only thing I need to do with ACIs like this is to > update the ldif (delegation.ldif and replica-acis.ldif) with the new > role/privilege/permission and acis in install/share for the new installs > and add an appropriate entry (not quite ldif) in install/updates to update > the default schema of those updating in future, given no new attributes - > right? That's right (you also need to remove the inappropriate ACI) You also need to make sure that the appropriate privilege has these new permissions as members - I tried to capture these steps in the upstream ticket. Martin _______________________________________________ Freeipa-users mailing list Freeipafirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/freeipa-users