[Freeipa-devel] [PATCH] 0168 add permission for reading ipaSshPubkey for ID overrides
Hi!
A small patch to fix https://fedorahosted.org/freeipa/ticket/4664
--
/ Alexander Bokovoy
From 6f793a9e4450d6a41576c98ca61f6273277ccd60 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy aboko...@redhat.com
Date: Fri, 24 Oct 2014 15:01:27 +0300
Subject: [PATCH] Add ipaSshPubkey to the ACI to read ID user overrides
https://fedorahosted.org/freeipa/ticket/4664
---
ACI.txt | 2 +-
ipalib/plugins/idviews.py | 1 +
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/ACI.txt b/ACI.txt
index 27a5d2f..f987807 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -131,7 +131,7 @@ aci: (targetfilter = (objectclass=ipahostgroup))(version
3.0;acl permission:S
dn: cn=views,cn=accounts,dc=ipa,dc=example
aci: (targetattr = cn || createtimestamp || description || entryusn ||
gidnumber || ipaanchoruuid || modifytimestamp || objectclass)(targetfilter =
(objectclass=ipaGroupOverride))(version 3.0;acl permission:System: Read
Group ID Overrides;allow (compare,read,search) userdn = ldap:///all;;)
dn: cn=views,cn=accounts,dc=ipa,dc=example
-aci: (targetattr = createtimestamp || description || entryusn || gecos ||
homedirectory || ipaanchoruuid || ipaoriginaluid || loginshell ||
modifytimestamp || objectclass || uid || uidnumber)(targetfilter =
(objectclass=ipaUserOverride))(version 3.0;acl permission:System: Read User
ID Overrides;allow (compare,read,search) userdn = ldap:///all;;)
+aci: (targetattr = createtimestamp || description || entryusn || gecos ||
homedirectory || ipaanchoruuid || ipaoriginaluid || ipasshpubkey || loginshell
|| modifytimestamp || objectclass || uid || uidnumber)(targetfilter =
(objectclass=ipaUserOverride))(version 3.0;acl permission:System: Read User
ID Overrides;allow (compare,read,search) userdn = ldap:///all;;)
dn: cn=ranges,cn=etc,dc=ipa,dc=example
aci: (targetattr = cn || createtimestamp || entryusn || ipabaseid ||
ipabaserid || ipaidrangesize || ipanttrusteddomainsid || iparangetype ||
ipasecondarybaserid || modifytimestamp || objectclass)(targetfilter =
(objectclass=ipaidrange))(version 3.0;acl permission:System: Read ID
Ranges;allow (compare,read,search) userdn = ldap:///all;;)
dn: cn=views,cn=accounts,dc=ipa,dc=example
diff --git a/ipalib/plugins/idviews.py b/ipalib/plugins/idviews.py
index bfa8675..cd297a4 100644
--- a/ipalib/plugins/idviews.py
+++ b/ipalib/plugins/idviews.py
@@ -659,6 +659,7 @@ class idoverrideuser(baseidoverride):
'ipapermdefaultattr': {
'objectClass', 'ipaAnchorUUID', 'uidNumber', 'description',
'homeDirectory', 'uid', 'ipaOriginalUid', 'loginShell',
'gecos',
+'ipaSshPubkey',
},
},
}
--
2.1.0
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0168 add permission for reading ipaSshPubkey for ID overrides
On Fri, 24 Oct 2014, Alexander Bokovoy wrote:
Hi!
A small patch to fix https://fedorahosted.org/freeipa/ticket/4664
Sumit noted that we also miss gidNumber from the user's override
permissions. Added to the new version of the patch.
--
/ Alexander Bokovoy
From f980405957aeb912b28f8559416faba9c6bbd1bb Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy aboko...@redhat.com
Date: Fri, 24 Oct 2014 15:01:27 +0300
Subject: [PATCH] Add ipaSshPubkey to the ACI to read ID user overrides
https://fedorahosted.org/freeipa/ticket/4664
---
ACI.txt | 2 +-
ipalib/plugins/idviews.py | 1 +
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/ACI.txt b/ACI.txt
index 27a5d2f..6680f65 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -131,7 +131,7 @@ aci: (targetfilter = (objectclass=ipahostgroup))(version
3.0;acl permission:S
dn: cn=views,cn=accounts,dc=ipa,dc=example
aci: (targetattr = cn || createtimestamp || description || entryusn ||
gidnumber || ipaanchoruuid || modifytimestamp || objectclass)(targetfilter =
(objectclass=ipaGroupOverride))(version 3.0;acl permission:System: Read
Group ID Overrides;allow (compare,read,search) userdn = ldap:///all;;)
dn: cn=views,cn=accounts,dc=ipa,dc=example
-aci: (targetattr = createtimestamp || description || entryusn || gecos ||
homedirectory || ipaanchoruuid || ipaoriginaluid || loginshell ||
modifytimestamp || objectclass || uid || uidnumber)(targetfilter =
(objectclass=ipaUserOverride))(version 3.0;acl permission:System: Read User
ID Overrides;allow (compare,read,search) userdn = ldap:///all;;)
+aci: (targetattr = createtimestamp || description || entryusn || gecos ||
gidnumber || homedirectory || ipaanchoruuid || ipaoriginaluid || ipasshpubkey
|| loginshell || modifytimestamp || objectclass || uid ||
uidnumber)(targetfilter = (objectclass=ipaUserOverride))(version 3.0;acl
permission:System: Read User ID Overrides;allow (compare,read,search) userdn
= ldap:///all;;)
dn: cn=ranges,cn=etc,dc=ipa,dc=example
aci: (targetattr = cn || createtimestamp || entryusn || ipabaseid ||
ipabaserid || ipaidrangesize || ipanttrusteddomainsid || iparangetype ||
ipasecondarybaserid || modifytimestamp || objectclass)(targetfilter =
(objectclass=ipaidrange))(version 3.0;acl permission:System: Read ID
Ranges;allow (compare,read,search) userdn = ldap:///all;;)
dn: cn=views,cn=accounts,dc=ipa,dc=example
diff --git a/ipalib/plugins/idviews.py b/ipalib/plugins/idviews.py
index bfa8675..9c87210 100644
--- a/ipalib/plugins/idviews.py
+++ b/ipalib/plugins/idviews.py
@@ -659,6 +659,7 @@ class idoverrideuser(baseidoverride):
'ipapermdefaultattr': {
'objectClass', 'ipaAnchorUUID', 'uidNumber', 'description',
'homeDirectory', 'uid', 'ipaOriginalUid', 'loginShell',
'gecos',
+'gidNumber', 'ipaSshPubkey',
},
},
}
--
2.1.0
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0168 add permission for reading ipaSshPubkey for ID overrides
On 10/24/2014 02:14 PM, Alexander Bokovoy wrote: On Fri, 24 Oct 2014, Alexander Bokovoy wrote: Hi! A small patch to fix https://fedorahosted.org/freeipa/ticket/4664 Sumit noted that we also miss gidNumber from the user's override permissions. Added to the new version of the patch. The patch itself works fine, I tested an upgrade + ldapsearch with host/ principal. However, patch description needs update to also reflect gidNumber being added. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0168 add permission for reading ipaSshPubkey for ID overrides
On Fri, 24 Oct 2014, Martin Kosek wrote:
On 10/24/2014 02:14 PM, Alexander Bokovoy wrote:
On Fri, 24 Oct 2014, Alexander Bokovoy wrote:
Hi!
A small patch to fix https://fedorahosted.org/freeipa/ticket/4664
Sumit noted that we also miss gidNumber from the user's override
permissions. Added to the new version of the patch.
The patch itself works fine, I tested an upgrade + ldapsearch with
host/ principal. However, patch description needs update to also
reflect gidNumber being added.
Updated.
--
/ Alexander Bokovoy
From 208e9d750948bf2144aeae1ae6133f035b5716cd Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy aboko...@redhat.com
Date: Fri, 24 Oct 2014 15:01:27 +0300
Subject: [PATCH] Add ipaSshPubkey and gidNumber to the ACI to read ID user
overrides
https://fedorahosted.org/freeipa/ticket/4664
---
ACI.txt | 2 +-
ipalib/plugins/idviews.py | 1 +
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/ACI.txt b/ACI.txt
index 27a5d2f..6680f65 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -131,7 +131,7 @@ aci: (targetfilter = (objectclass=ipahostgroup))(version
3.0;acl permission:S
dn: cn=views,cn=accounts,dc=ipa,dc=example
aci: (targetattr = cn || createtimestamp || description || entryusn ||
gidnumber || ipaanchoruuid || modifytimestamp || objectclass)(targetfilter =
(objectclass=ipaGroupOverride))(version 3.0;acl permission:System: Read
Group ID Overrides;allow (compare,read,search) userdn = ldap:///all;;)
dn: cn=views,cn=accounts,dc=ipa,dc=example
-aci: (targetattr = createtimestamp || description || entryusn || gecos ||
homedirectory || ipaanchoruuid || ipaoriginaluid || loginshell ||
modifytimestamp || objectclass || uid || uidnumber)(targetfilter =
(objectclass=ipaUserOverride))(version 3.0;acl permission:System: Read User
ID Overrides;allow (compare,read,search) userdn = ldap:///all;;)
+aci: (targetattr = createtimestamp || description || entryusn || gecos ||
gidnumber || homedirectory || ipaanchoruuid || ipaoriginaluid || ipasshpubkey
|| loginshell || modifytimestamp || objectclass || uid ||
uidnumber)(targetfilter = (objectclass=ipaUserOverride))(version 3.0;acl
permission:System: Read User ID Overrides;allow (compare,read,search) userdn
= ldap:///all;;)
dn: cn=ranges,cn=etc,dc=ipa,dc=example
aci: (targetattr = cn || createtimestamp || entryusn || ipabaseid ||
ipabaserid || ipaidrangesize || ipanttrusteddomainsid || iparangetype ||
ipasecondarybaserid || modifytimestamp || objectclass)(targetfilter =
(objectclass=ipaidrange))(version 3.0;acl permission:System: Read ID
Ranges;allow (compare,read,search) userdn = ldap:///all;;)
dn: cn=views,cn=accounts,dc=ipa,dc=example
diff --git a/ipalib/plugins/idviews.py b/ipalib/plugins/idviews.py
index bfa8675..9c87210 100644
--- a/ipalib/plugins/idviews.py
+++ b/ipalib/plugins/idviews.py
@@ -659,6 +659,7 @@ class idoverrideuser(baseidoverride):
'ipapermdefaultattr': {
'objectClass', 'ipaAnchorUUID', 'uidNumber', 'description',
'homeDirectory', 'uid', 'ipaOriginalUid', 'loginShell',
'gecos',
+'gidNumber', 'ipaSshPubkey',
},
},
}
--
2.1.0
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0168 add permission for reading ipaSshPubkey for ID overrides
On 10/24/2014 03:32 PM, Alexander Bokovoy wrote: On Fri, 24 Oct 2014, Martin Kosek wrote: On 10/24/2014 02:14 PM, Alexander Bokovoy wrote: On Fri, 24 Oct 2014, Alexander Bokovoy wrote: Hi! A small patch to fix https://fedorahosted.org/freeipa/ticket/4664 Sumit noted that we also miss gidNumber from the user's override permissions. Added to the new version of the patch. The patch itself works fine, I tested an upgrade + ldapsearch with host/ principal. However, patch description needs update to also reflect gidNumber being added. Updated. ACK. Pushed to: master: d6b28f29ecffae604801a5380efdff135734785d ipa-4-1: 47ab6351f1dc75cee0f2b868401f38174b67f87a Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
