Re: [Freeipa-devel] [PATCH] 813 fix enrolledBy regression

2011-07-15 Thread Rob Crittenden 

Martin Kosek wrote:

On Tue, 2011-07-12 at 15:11 -0400, Rob Crittenden wrote:

Martin Kosek wrote:

On Fri, 2011-07-01 at 11:41 -0400, Rob Crittenden wrote:

enrolledBy represents the DN of the entry that enrolled a host. We don't
want an admin to manipulate this but an aci allowed it. This was a
regression.

ticket 302

rob


Works fine with new IPA installation.

Still, I have some concerns:

1) What about ACI in existing installations? This patch won't affect it.

2) There are 2 typos in comment in ldif (admini, --setaddr)

Martin



Well, I didn't consider the lack of an update to be a huge problem
originally. I went ahead and added one. This required changing the
syntax of replace slightly, using two colons to distinguish between old
and new.

Typos fixed too.

rob


ACK. Works fine.

Martin



pushed to master

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 813 fix enrolledBy regression

2011-07-13 Thread Martin Kosek 
On Tue, 2011-07-12 at 15:11 -0400, Rob Crittenden wrote:
 Martin Kosek wrote:
  On Fri, 2011-07-01 at 11:41 -0400, Rob Crittenden wrote:
  enrolledBy represents the DN of the entry that enrolled a host. We don't
  want an admin to manipulate this but an aci allowed it. This was a
  regression.
 
  ticket 302
 
  rob
 
  Works fine with new IPA installation.
 
  Still, I have some concerns:
 
  1) What about ACI in existing installations? This patch won't affect it.
 
  2) There are 2 typos in comment in ldif (admini, --setaddr)
 
  Martin
 
 
 Well, I didn't consider the lack of an update to be a huge problem 
 originally. I went ahead and added one. This required changing the 
 syntax of replace slightly, using two colons to distinguish between old 
 and new.
 
 Typos fixed too.
 
 rob

ACK. Works fine.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 813 fix enrolledBy regression

2011-07-12 Thread Martin Kosek 
On Fri, 2011-07-01 at 11:41 -0400, Rob Crittenden wrote:
 enrolledBy represents the DN of the entry that enrolled a host. We don't 
 want an admin to manipulate this but an aci allowed it. This was a 
 regression.
 
 ticket 302
 
 rob

Works fine with new IPA installation.

Still, I have some concerns:

1) What about ACI in existing installations? This patch won't affect it.

2) There are 2 typos in comment in ldif (admini, --setaddr)

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 813 fix enrolledBy regression

2011-07-12 Thread Rob Crittenden 

Martin Kosek wrote:

On Fri, 2011-07-01 at 11:41 -0400, Rob Crittenden wrote:

enrolledBy represents the DN of the entry that enrolled a host. We don't
want an admin to manipulate this but an aci allowed it. This was a
regression.

ticket 302

rob


Works fine with new IPA installation.

Still, I have some concerns:

1) What about ACI in existing installations? This patch won't affect it.

2) There are 2 typos in comment in ldif (admini, --setaddr)

Martin



Well, I didn't consider the lack of an update to be a huge problem 
originally. I went ahead and added one. This required changing the 
syntax of replace slightly, using two colons to distinguish between old 
and new.


Typos fixed too.

rob
From fb66e8e6a6cb54f3befd31886f03ae9254ec438e Mon Sep 17 00:00:00 2001
From: Rob Crittenden rcrit...@redhat.com
Date: Fri, 1 Jul 2011 10:41:42 -0400
Subject: [PATCH] Disallow direct modifications to enrolledBy.

This fixes a regression.

We don't need to allow enrolledBy to be modified because it gets
written in the ipa_enrollment plugin which does internal operations
so bypasses acis.

https://fedorahosted.org/freeipa/ticket/302
---
 install/share/delegation.ldif|6 +++-
 install/updates/10-60basev2.update   |   40 +++---
 install/updates/40-delegation.update |4 +++
 install/updates/50-lockout-policy.update |4 +-
 install/updates/50-suppress-upg.update   |2 +-
 ipaserver/install/ldapupdate.py  |4 +-
 6 files changed, 33 insertions(+), 27 deletions(-)

diff --git a/install/share/delegation.ldif b/install/share/delegation.ldif
index 5d4949ae37a33eabb9646b181e41923c5811275f..a3c6bd110fd38183d418a7f0b1e8e978228e74a3 100644
--- a/install/share/delegation.ldif
+++ b/install/share/delegation.ldif
@@ -647,12 +647,14 @@ aci: (targetattr = krbprincipalkey || krblastpwdchange)(target = ldap:///krbp
 
 # Add the ACI needed to do host enrollment. When this occurs we
 # set the krbPrincipalName, add krbPrincipalAux to objectClass and
-# set enrolledBy to whoever ran join.
+# set enrolledBy to whoever ran join. enrolledBy is specifically
+# not listed here, it is set by the plugin but we don't want an
+# admin overriding it using --setattr or ldapmodify.
 
 dn: $SUFFIX
 changetype: modify
 add: aci
-aci: (targetattr = enrolledby || objectclass)(target = ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX;)(version 3.0;acl permission:Enroll a host;allow (write) groupdn = ldap:///cn=Enroll a host,cn=permissions,cn=pbac,$SUFFIX;)
+aci: (targetattr = objectclass)(target = ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX;)(version 3.0;acl permission:Enroll a host;allow (write) groupdn = ldap:///cn=Enroll a host,cn=permissions,cn=pbac,$SUFFIX;)
 
 # Entitlement administration
 
diff --git a/install/updates/10-60basev2.update b/install/updates/10-60basev2.update
index 578cf4ad07e95266477c28f6f504f163b4ea979a..ff1f3da2bbeabaeb8ae8f2d15ca4fd73db16b38b 100644
--- a/install/updates/10-60basev2.update
+++ b/install/updates/10-60basev2.update
@@ -1,22 +1,22 @@
 # Fix some problems with the original 60basev2 schema file.
 dn: cn=schema
-replace:attributeTypes:( 2.16.840.1.113730.3.8.3.1 NAME 'ipaUniqueID' DESC 'Unique identifier' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' ):( 2.16.840.1.113730.3.8.3.1 NAME 'ipaUniqueID' DESC 'Unique identifier' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' )
-replace:attributeTypes: ( 2.16.840.1.113730.3.8.3.2 NAME 'ipaClientVersion' DESC 'Text string describing client version of the IPA software installed' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' ):( 2.16.840.1.113730.3.8.3.2 NAME 'ipaClientVersion' DESC 'Text string describing client version of the IPA software installed' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' )
-replace:attributeTypes:( 2.16.840.1.113730.3.8.3.3 NAME 'enrolledBy' DESC 'DN of administrator who performed manual enrollment of the host' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'IPA v2' ):( 2.16.840.1.113730.3.8.3.3 NAME 'enrolledBy' DESC 'DN of administrator who performed manual enrollment of the host' SUP distinguishedName X-ORIGIN 'IPA v2' )
-replace:attributeTypes:( 2.16.840.1.113730.3.8.3.4 NAME 'fqdn' DESC 'FQDN' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' ):( 2.16.840.1.113730.3.8.3.4 NAME 'fqdn' DESC 'FQDN' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' )
-replace:attributeTypes:( 2.16.840.1.113730.3.8.3.18 NAME 'managedBy' DESC 'DNs of entries allowed to manage'

[Freeipa-devel] [PATCH] 813 fix enrolledBy regression

2011-07-01 Thread Rob Crittenden 
enrolledBy represents the DN of the entry that enrolled a host. We don't 
want an admin to manipulate this but an aci allowed it. This was a 
regression.


ticket 302

rob
From c9525eeba3a423f3f376a2492fea5f2f89a1250d Mon Sep 17 00:00:00 2001
From: Rob Crittenden rcrit...@redhat.com
Date: Fri, 1 Jul 2011 10:41:42 -0400
Subject: [PATCH] Disallow direct modifications to enrolledBy.

This fixes a regression.

We don't need to allow enrolledBy to be modified because it gets
written in the ipa_enrollment plugin which does internal operations
so bypasses acis.

https://fedorahosted.org/freeipa/ticket/302
---
 install/share/delegation.ldif |6 --
 1 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/install/share/delegation.ldif b/install/share/delegation.ldif
index 5d4949a..21c6749 100644
--- a/install/share/delegation.ldif
+++ b/install/share/delegation.ldif
@@ -647,12 +647,14 @@ aci: (targetattr = krbprincipalkey || krblastpwdchange)(target = ldap:///krbp
 
 # Add the ACI needed to do host enrollment. When this occurs we
 # set the krbPrincipalName, add krbPrincipalAux to objectClass and
-# set enrolledBy to whoever ran join.
+# set enrolledBy to whoever ran join. enrolledBy is specifically
+# not listed here, it is set by the plugin but we don't want an
+# admini overriding it using --setaddr or ldapmodify.
 
 dn: $SUFFIX
 changetype: modify
 add: aci
-aci: (targetattr = enrolledby || objectclass)(target = ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX;)(version 3.0;acl permission:Enroll a host;allow (write) groupdn = ldap:///cn=Enroll a host,cn=permissions,cn=pbac,$SUFFIX;)
+aci: (targetattr = objectclass)(target = ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX;)(version 3.0;acl permission:Enroll a host;allow (write) groupdn = ldap:///cn=Enroll a host,cn=permissions,cn=pbac,$SUFFIX;)
 
 # Entitlement administration
 
-- 
1.7.4

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel