subject:"Re\: \[Freeipa\-devel\] \[PATCH\] 0610 Allow admins to write krbLoginFailedCount"

Re: [Freeipa-devel] [PATCH] 0610 Allow admins to write krbLoginFailedCount

2014-07-01 Thread Petr Viktorin


On 06/30/2014 04:29 PM, Martin Kosek wrote:

On 06/30/2014 01:58 PM, Petr Viktorin wrote:

On 06/30/2014 01:53 PM, Martin Kosek wrote:

On 06/30/2014 12:32 PM, Petr Viktorin wrote:

Fix for https://fedorahosted.org/freeipa/ticket/4409


I think something is missing here :-)



Sorry for that.


Looks ok. Do we need to add the new remove definitions given that the
respective ACIs were never released? I am just aiming for update file sanity.


Right, we don't.
I only left the ones up to the ipa-3-3 version.


--
Petr³

From 1ca5548cf8d572008dd770ccbd56faf012c5b4ee Mon Sep 17 00:00:00 2001
From: Petr Viktorin pvikt...@redhat.com
Date: Mon, 30 Jun 2014 12:26:36 +0200
Subject: [PATCH] Allow admins to write krbLoginFailedCount

Without write access to this attribute, admins could not unlock users.

https://fedorahosted.org/freeipa/ticket/4409
---
 install/updates/20-aci.update | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update
index 76179bfb68c011eaa6e8828a0b80eb38b373b51f..5c4d1a1e3a90fc92effc8cd08c5220a2c382a8c7 100644
--- a/install/updates/20-aci.update
+++ b/install/updates/20-aci.update
@@ -43,14 +43,13 @@ dn: $SUFFIX
 remove:aci:'(targetattr != userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || krbTicketFlags || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash)(version 3.0; acl Admin can manage any entry; allow (all) groupdn = ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX;;)'
 remove:aci:'(targetattr != userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash)(version 3.0; acl Admin can manage any entry; allow (all) groupdn = ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX;;)'
 remove:aci:'(targetattr != userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash)(version 3.0; acl Admin can manage any entry; allow (all) groupdn = ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX;;)'
-remove:aci:'(targetattr != userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbPasswordExpiration || krbPwdHistory || krbLastPwdChange || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || enrolledBy || ipaNTHash)(version 3.0; acl Admin can manage any entry; allow (all) groupdn = ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX;;)'
-add:aci:'(targetattr != userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbPasswordExpiration || krbPwdHistory || krbLastPwdChange || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || enrolledBy || ipaNTHash || ipaProtectedOperation)(version 3.0; acl Admin can manage any entry; allow (all) groupdn = ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX;;)'
+add:aci:'(targetattr != userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbPasswordExpiration || krbPwdHistory || krbLastPwdChange || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || ipaUniqueId || memberOf || enrolledBy || ipaNTHash || ipaProtectedOperation)(version 3.0; acl Admin can manage any entry; allow (all) groupdn = ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX;;)'
 # Write-only
 remove:aci:'(targetattr = userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory)(version 3.0; acl Admins can write passwords; allow (add,delete,write) groupdn=ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX;;)'
 add:aci:'(targetattr = userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword ||

Re: [Freeipa-devel] [PATCH] 0610 Allow admins to write krbLoginFailedCount

2014-06-30 Thread Martin Kosek

On 06/30/2014 12:32 PM, Petr Viktorin wrote:
 Fix for https://fedorahosted.org/freeipa/ticket/4409

I think something is missing here :-)

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 0610 Allow admins to write krbLoginFailedCount

2014-06-30 Thread Petr Viktorin


On 06/30/2014 01:53 PM, Martin Kosek wrote:

On 06/30/2014 12:32 PM, Petr Viktorin wrote:

Fix for https://fedorahosted.org/freeipa/ticket/4409


I think something is missing here :-)



Sorry for that.


--
Petr³
From 36fa1e33b21791d722ccc91353273935f154b280 Mon Sep 17 00:00:00 2001
From: Petr Viktorin pvikt...@redhat.com
Date: Mon, 30 Jun 2014 12:26:36 +0200
Subject: [PATCH] Allow admins to write krbLoginFailedCount

Without write access to this attribute, admins could not unlock users.

https://fedorahosted.org/freeipa/ticket/4409
---
 install/updates/20-aci.update | 6 --
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update
index 76179bfb68c011eaa6e8828a0b80eb38b373b51f..4e8608a195572bd8b1fac7ab4d3a163b42bcaad4 100644
--- a/install/updates/20-aci.update
+++ b/install/updates/20-aci.update
@@ -44,13 +44,15 @@ dn: $SUFFIX
 remove:aci:'(targetattr != userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash)(version 3.0; acl Admin can manage any entry; allow (all) groupdn = ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX;;)'
 remove:aci:'(targetattr != userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash)(version 3.0; acl Admin can manage any entry; allow (all) groupdn = ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX;;)'
 remove:aci:'(targetattr != userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbPasswordExpiration || krbPwdHistory || krbLastPwdChange || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || enrolledBy || ipaNTHash)(version 3.0; acl Admin can manage any entry; allow (all) groupdn = ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX;;)'
-add:aci:'(targetattr != userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbPasswordExpiration || krbPwdHistory || krbLastPwdChange || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || enrolledBy || ipaNTHash || ipaProtectedOperation)(version 3.0; acl Admin can manage any entry; allow (all) groupdn = ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX;;)'
+remove:aci:'(targetattr != userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbPasswordExpiration || krbPwdHistory || krbLastPwdChange || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || enrolledBy || ipaNTHash || ipaProtectedOperation)(version 3.0; acl Admin can manage any entry; allow (all) groupdn = ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX;;)'
+add:aci:'(targetattr != userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbPasswordExpiration || krbPwdHistory || krbLastPwdChange || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || ipaUniqueId || memberOf || enrolledBy || ipaNTHash || ipaProtectedOperation)(version 3.0; acl Admin can manage any entry; allow (all) groupdn = ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX;;)'
 # Write-only
 remove:aci:'(targetattr = userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory)(version 3.0; acl Admins can write passwords; allow (add,delete,write) groupdn=ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX;;)'
 add:aci:'(targetattr = userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash)(version 3.0; acl Admins can write passwords; allow (add,delete,write) groupdn=ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX;;)'
 add:aci:'(targetfilter = (objectClass=krbPwdPolicy))(targetattr = krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength)(version 3.0;acl Admins can write password policies; allow (read, search, compare, write) groupdn =

Re: [Freeipa-devel] [PATCH] 0610 Allow admins to write krbLoginFailedCount

2014-06-30 Thread Martin Kosek

On 06/30/2014 01:58 PM, Petr Viktorin wrote:
 On 06/30/2014 01:53 PM, Martin Kosek wrote:
 On 06/30/2014 12:32 PM, Petr Viktorin wrote:
 Fix for https://fedorahosted.org/freeipa/ticket/4409

 I think something is missing here :-)

 
 Sorry for that.

Looks ok. Do we need to add the new remove definitions given that the
respective ACIs were never released? I am just aiming for update file sanity.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 0610 Allow admins to write krbLoginFailedCount

Re: [Freeipa-devel] [PATCH] 0610 Allow admins to write krbLoginFailedCount

Re: [Freeipa-devel] [PATCH] 0610 Allow admins to write krbLoginFailedCount

Re: [Freeipa-devel] [PATCH] 0610 Allow admins to write krbLoginFailedCount

4 matches

Site Navigation

Mail list logo

Footer information