On 04/15/2014 09:53 AM, Martin Kosek wrote:
On 04/14/2014 10:00 PM, Petr Viktorin wrote:
Read access is given to all authenticated users.
This only works when I added cn and objectclass attributes to the ACI. Is this
expected?
It would work when we add nsContainer ACI for cn=etc though as it has the
nsContainer objectlass.
You're right, cn and objectclass should be granted explicitly. My mistake.
Fixed patch attached.
--
PetrĀ³
From 94e2401bde270c1671a10e18389e1c5b5a99ff7b Mon Sep 17 00:00:00 2001
From: Petr Viktorin pvikt...@redhat.com
Date: Wed, 26 Mar 2014 14:56:30 +0100
Subject: [PATCH] Add managed read permission to config
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
---
ipalib/plugins/config.py | 22 ++
1 file changed, 22 insertions(+)
diff --git a/ipalib/plugins/config.py b/ipalib/plugins/config.py
index 05369be4e93052f18c6cefa03621d651f470749b..4ac411c74c75ab7408c5c876f1efaec8788a5618 100644
--- a/ipalib/plugins/config.py
+++ b/ipalib/plugins/config.py
@@ -94,6 +94,28 @@ class config(LDAPObject):
'ipaselinuxusermapdefault', 'ipaconfigstring', 'ipakrbauthzdata',
'ipauserauthtype'
]
+container_dn = DN(('cn', 'ipaconfig'), ('cn', 'etc'))
+permission_filter_objectclasses = ['ipaguiconfig']
+managed_permissions = {
+'System: Read Global Configuration': {
+'replaces_global_anonymous_aci': True,
+'ipapermbindruletype': 'all',
+'ipapermright': {'read', 'search', 'compare'},
+'ipapermdefaultattr': {
+'cn', 'objectclass',
+'ipacertificatesubjectbase', 'ipaconfigstring',
+'ipadefaultemaildomain', 'ipadefaultloginshell',
+'ipadefaultprimarygroup', 'ipagroupobjectclasses',
+'ipagroupsearchfields', 'ipahomesrootdir',
+'ipakrbauthzdata', 'ipamaxusernamelength',
+'ipamigrationenabled', 'ipapwdexpadvnotify',
+'ipaselinuxusermapdefault', 'ipaselinuxusermaporder',
+'ipasearchrecordslimit', 'ipasearchtimelimit',
+'ipauserauthtype', 'ipauserobjectclasses',
+'ipausersearchfields', 'ipacustomfields',
+},
+},
+}
label = _('Configuration')
label_singular = _('Configuration')
--
1.9.0
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel