On Thu, 12 Jan 2012, Rob Crittenden wrote:
(assuming joe doesn't already exist, of course).
Refactored the patch using original values from options[]:
$ ipa sudorule-add-runasuser testr --group=all
ipa: ERROR: invalid 'runas-user': RunAsUser does not accept 'all' as a group
name
$ ipa
On Thu, 15 Dec 2011, Rob Crittenden wrote:
If this is acceptable, I can do refactoring in a different ticket.
NACK.
We still have the value passed in by the user, right (in
options['user'] and options['group'])? We basically take that,
create a DN out of it, then pull the same value out.
Alexander Bokovoy wrote:
On Thu, 15 Dec 2011, Rob Crittenden wrote:
If this is acceptable, I can do refactoring in a different ticket.
NACK.
We still have the value passed in by the user, right (in
options['user'] and options['group'])? We basically take that,
create a DN out of it, then
Alexander Bokovoy wrote:
On Mon, 12 Dec 2011, Rob Crittenden wrote:
actual members, it treats it as a no-op. We should probably be
consistent.
Don't understand. Did you mean 'to not provide any actual members'?
In case you did, attached patch removes remaining checks for
runas_{user,group) to
Alexander Bokovoy wrote:
On Fri, 02 Dec 2011, Rob Crittenden wrote:
Alexander Bokovoy wrote:
Hi,
FreeIPA SUDO rules use --usercat/--groupcat to specify that rule
applies to all users or groups. Thus, sudorule-add-runasuser and
sudorule-add-runasgroup accept specific groups and users and do
On Mon, 12 Dec 2011, Rob Crittenden wrote:
actual members, it treats it as a no-op. We should probably be
consistent.
Don't understand. Did you mean 'to not provide any actual members'?
In case you did, attached patch removes remaining checks for
runas_{user,group) to be False.
It
Alexander Bokovoy wrote:
Hi,
FreeIPA SUDO rules use --usercat/--groupcat to specify that rule
applies to all users or groups. Thus, sudorule-add-runasuser and
sudorule-add-runasgroup accept specific groups and users and do not
accept ALL reserved word.
The patch validates user and group passed