[Freeipa-devel] [PATCH] 0168 add permission for reading ipaSshPubkey for ID overrides
Hi! A small patch to fix https://fedorahosted.org/freeipa/ticket/4664 -- / Alexander Bokovoy From 6f793a9e4450d6a41576c98ca61f6273277ccd60 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Fri, 24 Oct 2014 15:01:27 +0300 Subject: [PATCH] Add ipaSshPubkey to the ACI to read ID user overrides https://fedorahosted.org/freeipa/ticket/4664 --- ACI.txt | 2 +- ipalib/plugins/idviews.py | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/ACI.txt b/ACI.txt index 27a5d2f..f987807 100644 --- a/ACI.txt +++ b/ACI.txt @@ -131,7 +131,7 @@ aci: (targetfilter = (objectclass=ipahostgroup))(version 3.0;acl permission:S dn: cn=views,cn=accounts,dc=ipa,dc=example aci: (targetattr = cn || createtimestamp || description || entryusn || gidnumber || ipaanchoruuid || modifytimestamp || objectclass)(targetfilter = (objectclass=ipaGroupOverride))(version 3.0;acl permission:System: Read Group ID Overrides;allow (compare,read,search) userdn = ldap:///all;;) dn: cn=views,cn=accounts,dc=ipa,dc=example -aci: (targetattr = createtimestamp || description || entryusn || gecos || homedirectory || ipaanchoruuid || ipaoriginaluid || loginshell || modifytimestamp || objectclass || uid || uidnumber)(targetfilter = (objectclass=ipaUserOverride))(version 3.0;acl permission:System: Read User ID Overrides;allow (compare,read,search) userdn = ldap:///all;;) +aci: (targetattr = createtimestamp || description || entryusn || gecos || homedirectory || ipaanchoruuid || ipaoriginaluid || ipasshpubkey || loginshell || modifytimestamp || objectclass || uid || uidnumber)(targetfilter = (objectclass=ipaUserOverride))(version 3.0;acl permission:System: Read User ID Overrides;allow (compare,read,search) userdn = ldap:///all;;) dn: cn=ranges,cn=etc,dc=ipa,dc=example aci: (targetattr = cn || createtimestamp || entryusn || ipabaseid || ipabaserid || ipaidrangesize || ipanttrusteddomainsid || iparangetype || ipasecondarybaserid || modifytimestamp || objectclass)(targetfilter = (objectclass=ipaidrange))(version 3.0;acl permission:System: Read ID Ranges;allow (compare,read,search) userdn = ldap:///all;;) dn: cn=views,cn=accounts,dc=ipa,dc=example diff --git a/ipalib/plugins/idviews.py b/ipalib/plugins/idviews.py index bfa8675..cd297a4 100644 --- a/ipalib/plugins/idviews.py +++ b/ipalib/plugins/idviews.py @@ -659,6 +659,7 @@ class idoverrideuser(baseidoverride): 'ipapermdefaultattr': { 'objectClass', 'ipaAnchorUUID', 'uidNumber', 'description', 'homeDirectory', 'uid', 'ipaOriginalUid', 'loginShell', 'gecos', +'ipaSshPubkey', }, }, } -- 2.1.0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0168 add permission for reading ipaSshPubkey for ID overrides
On Fri, 24 Oct 2014, Alexander Bokovoy wrote: Hi! A small patch to fix https://fedorahosted.org/freeipa/ticket/4664 Sumit noted that we also miss gidNumber from the user's override permissions. Added to the new version of the patch. -- / Alexander Bokovoy From f980405957aeb912b28f8559416faba9c6bbd1bb Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Fri, 24 Oct 2014 15:01:27 +0300 Subject: [PATCH] Add ipaSshPubkey to the ACI to read ID user overrides https://fedorahosted.org/freeipa/ticket/4664 --- ACI.txt | 2 +- ipalib/plugins/idviews.py | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/ACI.txt b/ACI.txt index 27a5d2f..6680f65 100644 --- a/ACI.txt +++ b/ACI.txt @@ -131,7 +131,7 @@ aci: (targetfilter = (objectclass=ipahostgroup))(version 3.0;acl permission:S dn: cn=views,cn=accounts,dc=ipa,dc=example aci: (targetattr = cn || createtimestamp || description || entryusn || gidnumber || ipaanchoruuid || modifytimestamp || objectclass)(targetfilter = (objectclass=ipaGroupOverride))(version 3.0;acl permission:System: Read Group ID Overrides;allow (compare,read,search) userdn = ldap:///all;;) dn: cn=views,cn=accounts,dc=ipa,dc=example -aci: (targetattr = createtimestamp || description || entryusn || gecos || homedirectory || ipaanchoruuid || ipaoriginaluid || loginshell || modifytimestamp || objectclass || uid || uidnumber)(targetfilter = (objectclass=ipaUserOverride))(version 3.0;acl permission:System: Read User ID Overrides;allow (compare,read,search) userdn = ldap:///all;;) +aci: (targetattr = createtimestamp || description || entryusn || gecos || gidnumber || homedirectory || ipaanchoruuid || ipaoriginaluid || ipasshpubkey || loginshell || modifytimestamp || objectclass || uid || uidnumber)(targetfilter = (objectclass=ipaUserOverride))(version 3.0;acl permission:System: Read User ID Overrides;allow (compare,read,search) userdn = ldap:///all;;) dn: cn=ranges,cn=etc,dc=ipa,dc=example aci: (targetattr = cn || createtimestamp || entryusn || ipabaseid || ipabaserid || ipaidrangesize || ipanttrusteddomainsid || iparangetype || ipasecondarybaserid || modifytimestamp || objectclass)(targetfilter = (objectclass=ipaidrange))(version 3.0;acl permission:System: Read ID Ranges;allow (compare,read,search) userdn = ldap:///all;;) dn: cn=views,cn=accounts,dc=ipa,dc=example diff --git a/ipalib/plugins/idviews.py b/ipalib/plugins/idviews.py index bfa8675..9c87210 100644 --- a/ipalib/plugins/idviews.py +++ b/ipalib/plugins/idviews.py @@ -659,6 +659,7 @@ class idoverrideuser(baseidoverride): 'ipapermdefaultattr': { 'objectClass', 'ipaAnchorUUID', 'uidNumber', 'description', 'homeDirectory', 'uid', 'ipaOriginalUid', 'loginShell', 'gecos', +'gidNumber', 'ipaSshPubkey', }, }, } -- 2.1.0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0168 add permission for reading ipaSshPubkey for ID overrides
On 10/24/2014 02:14 PM, Alexander Bokovoy wrote: On Fri, 24 Oct 2014, Alexander Bokovoy wrote: Hi! A small patch to fix https://fedorahosted.org/freeipa/ticket/4664 Sumit noted that we also miss gidNumber from the user's override permissions. Added to the new version of the patch. The patch itself works fine, I tested an upgrade + ldapsearch with host/ principal. However, patch description needs update to also reflect gidNumber being added. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0168 add permission for reading ipaSshPubkey for ID overrides
On Fri, 24 Oct 2014, Martin Kosek wrote: On 10/24/2014 02:14 PM, Alexander Bokovoy wrote: On Fri, 24 Oct 2014, Alexander Bokovoy wrote: Hi! A small patch to fix https://fedorahosted.org/freeipa/ticket/4664 Sumit noted that we also miss gidNumber from the user's override permissions. Added to the new version of the patch. The patch itself works fine, I tested an upgrade + ldapsearch with host/ principal. However, patch description needs update to also reflect gidNumber being added. Updated. -- / Alexander Bokovoy From 208e9d750948bf2144aeae1ae6133f035b5716cd Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Fri, 24 Oct 2014 15:01:27 +0300 Subject: [PATCH] Add ipaSshPubkey and gidNumber to the ACI to read ID user overrides https://fedorahosted.org/freeipa/ticket/4664 --- ACI.txt | 2 +- ipalib/plugins/idviews.py | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/ACI.txt b/ACI.txt index 27a5d2f..6680f65 100644 --- a/ACI.txt +++ b/ACI.txt @@ -131,7 +131,7 @@ aci: (targetfilter = (objectclass=ipahostgroup))(version 3.0;acl permission:S dn: cn=views,cn=accounts,dc=ipa,dc=example aci: (targetattr = cn || createtimestamp || description || entryusn || gidnumber || ipaanchoruuid || modifytimestamp || objectclass)(targetfilter = (objectclass=ipaGroupOverride))(version 3.0;acl permission:System: Read Group ID Overrides;allow (compare,read,search) userdn = ldap:///all;;) dn: cn=views,cn=accounts,dc=ipa,dc=example -aci: (targetattr = createtimestamp || description || entryusn || gecos || homedirectory || ipaanchoruuid || ipaoriginaluid || loginshell || modifytimestamp || objectclass || uid || uidnumber)(targetfilter = (objectclass=ipaUserOverride))(version 3.0;acl permission:System: Read User ID Overrides;allow (compare,read,search) userdn = ldap:///all;;) +aci: (targetattr = createtimestamp || description || entryusn || gecos || gidnumber || homedirectory || ipaanchoruuid || ipaoriginaluid || ipasshpubkey || loginshell || modifytimestamp || objectclass || uid || uidnumber)(targetfilter = (objectclass=ipaUserOverride))(version 3.0;acl permission:System: Read User ID Overrides;allow (compare,read,search) userdn = ldap:///all;;) dn: cn=ranges,cn=etc,dc=ipa,dc=example aci: (targetattr = cn || createtimestamp || entryusn || ipabaseid || ipabaserid || ipaidrangesize || ipanttrusteddomainsid || iparangetype || ipasecondarybaserid || modifytimestamp || objectclass)(targetfilter = (objectclass=ipaidrange))(version 3.0;acl permission:System: Read ID Ranges;allow (compare,read,search) userdn = ldap:///all;;) dn: cn=views,cn=accounts,dc=ipa,dc=example diff --git a/ipalib/plugins/idviews.py b/ipalib/plugins/idviews.py index bfa8675..9c87210 100644 --- a/ipalib/plugins/idviews.py +++ b/ipalib/plugins/idviews.py @@ -659,6 +659,7 @@ class idoverrideuser(baseidoverride): 'ipapermdefaultattr': { 'objectClass', 'ipaAnchorUUID', 'uidNumber', 'description', 'homeDirectory', 'uid', 'ipaOriginalUid', 'loginShell', 'gecos', +'gidNumber', 'ipaSshPubkey', }, }, } -- 2.1.0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0168 add permission for reading ipaSshPubkey for ID overrides
On 10/24/2014 03:32 PM, Alexander Bokovoy wrote: On Fri, 24 Oct 2014, Martin Kosek wrote: On 10/24/2014 02:14 PM, Alexander Bokovoy wrote: On Fri, 24 Oct 2014, Alexander Bokovoy wrote: Hi! A small patch to fix https://fedorahosted.org/freeipa/ticket/4664 Sumit noted that we also miss gidNumber from the user's override permissions. Added to the new version of the patch. The patch itself works fine, I tested an upgrade + ldapsearch with host/ principal. However, patch description needs update to also reflect gidNumber being added. Updated. ACK. Pushed to: master: d6b28f29ecffae604801a5380efdff135734785d ipa-4-1: 47ab6351f1dc75cee0f2b868401f38174b67f87a Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel