Re: [Freeipa-devel] [PATCH] 0610 Allow admins to write krbLoginFailedCount
On 06/30/2014 04:29 PM, Martin Kosek wrote: On 06/30/2014 01:58 PM, Petr Viktorin wrote: On 06/30/2014 01:53 PM, Martin Kosek wrote: On 06/30/2014 12:32 PM, Petr Viktorin wrote: Fix for https://fedorahosted.org/freeipa/ticket/4409 I think something is missing here :-) Sorry for that. Looks ok. Do we need to add the new remove definitions given that the respective ACIs were never released? I am just aiming for update file sanity. Right, we don't. I only left the ones up to the ipa-3-3 version. -- PetrĀ³ From 1ca5548cf8d572008dd770ccbd56faf012c5b4ee Mon Sep 17 00:00:00 2001 From: Petr Viktorin pvikt...@redhat.com Date: Mon, 30 Jun 2014 12:26:36 +0200 Subject: [PATCH] Allow admins to write krbLoginFailedCount Without write access to this attribute, admins could not unlock users. https://fedorahosted.org/freeipa/ticket/4409 --- install/updates/20-aci.update | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update index 76179bfb68c011eaa6e8828a0b80eb38b373b51f..5c4d1a1e3a90fc92effc8cd08c5220a2c382a8c7 100644 --- a/install/updates/20-aci.update +++ b/install/updates/20-aci.update @@ -43,14 +43,13 @@ dn: $SUFFIX remove:aci:'(targetattr != userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || krbTicketFlags || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash)(version 3.0; acl Admin can manage any entry; allow (all) groupdn = ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX;;)' remove:aci:'(targetattr != userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash)(version 3.0; acl Admin can manage any entry; allow (all) groupdn = ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX;;)' remove:aci:'(targetattr != userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash)(version 3.0; acl Admin can manage any entry; allow (all) groupdn = ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX;;)' -remove:aci:'(targetattr != userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbPasswordExpiration || krbPwdHistory || krbLastPwdChange || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || enrolledBy || ipaNTHash)(version 3.0; acl Admin can manage any entry; allow (all) groupdn = ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX;;)' -add:aci:'(targetattr != userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbPasswordExpiration || krbPwdHistory || krbLastPwdChange || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || enrolledBy || ipaNTHash || ipaProtectedOperation)(version 3.0; acl Admin can manage any entry; allow (all) groupdn = ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX;;)' +add:aci:'(targetattr != userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbPasswordExpiration || krbPwdHistory || krbLastPwdChange || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || ipaUniqueId || memberOf || enrolledBy || ipaNTHash || ipaProtectedOperation)(version 3.0; acl Admin can manage any entry; allow (all) groupdn = ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX;;)' # Write-only remove:aci:'(targetattr = userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory)(version 3.0; acl Admins can write passwords; allow (add,delete,write) groupdn=ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX;;)' add:aci:'(targetattr = userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword ||
Re: [Freeipa-devel] [PATCH] 0610 Allow admins to write krbLoginFailedCount
On 06/30/2014 12:32 PM, Petr Viktorin wrote: Fix for https://fedorahosted.org/freeipa/ticket/4409 I think something is missing here :-) ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0610 Allow admins to write krbLoginFailedCount
On 06/30/2014 01:53 PM, Martin Kosek wrote: On 06/30/2014 12:32 PM, Petr Viktorin wrote: Fix for https://fedorahosted.org/freeipa/ticket/4409 I think something is missing here :-) Sorry for that. -- PetrĀ³ From 36fa1e33b21791d722ccc91353273935f154b280 Mon Sep 17 00:00:00 2001 From: Petr Viktorin pvikt...@redhat.com Date: Mon, 30 Jun 2014 12:26:36 +0200 Subject: [PATCH] Allow admins to write krbLoginFailedCount Without write access to this attribute, admins could not unlock users. https://fedorahosted.org/freeipa/ticket/4409 --- install/updates/20-aci.update | 6 -- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update index 76179bfb68c011eaa6e8828a0b80eb38b373b51f..4e8608a195572bd8b1fac7ab4d3a163b42bcaad4 100644 --- a/install/updates/20-aci.update +++ b/install/updates/20-aci.update @@ -44,13 +44,15 @@ dn: $SUFFIX remove:aci:'(targetattr != userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash)(version 3.0; acl Admin can manage any entry; allow (all) groupdn = ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX;;)' remove:aci:'(targetattr != userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash)(version 3.0; acl Admin can manage any entry; allow (all) groupdn = ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX;;)' remove:aci:'(targetattr != userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbPasswordExpiration || krbPwdHistory || krbLastPwdChange || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || enrolledBy || ipaNTHash)(version 3.0; acl Admin can manage any entry; allow (all) groupdn = ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX;;)' -add:aci:'(targetattr != userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbPasswordExpiration || krbPwdHistory || krbLastPwdChange || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || enrolledBy || ipaNTHash || ipaProtectedOperation)(version 3.0; acl Admin can manage any entry; allow (all) groupdn = ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX;;)' +remove:aci:'(targetattr != userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbPasswordExpiration || krbPwdHistory || krbLastPwdChange || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || enrolledBy || ipaNTHash || ipaProtectedOperation)(version 3.0; acl Admin can manage any entry; allow (all) groupdn = ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX;;)' +add:aci:'(targetattr != userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbPasswordExpiration || krbPwdHistory || krbLastPwdChange || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || ipaUniqueId || memberOf || enrolledBy || ipaNTHash || ipaProtectedOperation)(version 3.0; acl Admin can manage any entry; allow (all) groupdn = ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX;;)' # Write-only remove:aci:'(targetattr = userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory)(version 3.0; acl Admins can write passwords; allow (add,delete,write) groupdn=ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX;;)' add:aci:'(targetattr = userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash)(version 3.0; acl Admins can write passwords; allow (add,delete,write) groupdn=ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX;;)' add:aci:'(targetfilter = (objectClass=krbPwdPolicy))(targetattr = krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength)(version 3.0;acl Admins can write password policies; allow (read, search, compare, write) groupdn =
Re: [Freeipa-devel] [PATCH] 0610 Allow admins to write krbLoginFailedCount
On 06/30/2014 01:58 PM, Petr Viktorin wrote: On 06/30/2014 01:53 PM, Martin Kosek wrote: On 06/30/2014 12:32 PM, Petr Viktorin wrote: Fix for https://fedorahosted.org/freeipa/ticket/4409 I think something is missing here :-) Sorry for that. Looks ok. Do we need to add the new remove definitions given that the respective ACIs were never released? I am just aiming for update file sanity. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel