On Fri, 2013-12-06 at 16:02 +0100, Petr Viktorin wrote: > On 12/06/2013 03:49 PM, Simo Sorce wrote: > > On Fri, 2013-12-06 at 15:46 +0100, Petr Viktorin wrote: > >> On 12/06/2013 03:28 PM, Simo Sorce wrote: > >>> On Fri, 2013-12-06 at 14:14 +0100, Petr Viktorin wrote: > >>>> On 12/02/2013 02:48 PM, Petr Viktorin wrote: > >>>>> On 12/02/2013 02:29 PM, Simo Sorce wrote: > >>> > >>>>>> It would be very nice if you can add the resulting LDAP objects in the > >>>>>> example, that will allow me to reason on the correctness of the > >>>>>> translation. > >>>>> > >>>>> OK, I'll work on that. > >>>> > >>>> I've added the resulting LDAP objects to the tests here: > >>>> http://www.freeipa.org/index.php?title=V3/Permissions_V2/tests > >>> > >>> Thank you Petr, > >>> I was looking at them and I see we often use target=ldap://<dn> type for > >>> selecting which objects this apply to. > >>> > >>> This was sort of necessary when the permissions were all in the base and > >>> we wanted to limit to specific entries in subtrees. > >>> > >>> However I was wondering if we shouldn't transition/allow to user > >>> targetfilter or targetattrfilter (this would be needed to have > >>> add/delete permissions). > >>> > >>> For example, instead of: > >>> (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX") > >>> We could have: > >>> (targetfilter = "(objectclass=ipaUser)") > >>> > >>> It also occurs to me we could do very neat things like allowing manager > >>> access with (targetfilter = "(managedby=<dn>)"), and similar. > >>> > >>> In general using targetfilter and targetattrfilter is more flexible and > >>> allow for applying different permission depending exacly on the object > >>> type or even specific sets of objects of a common type. Something the > >>> simple target filter cannot do. > >>> > >>> What do you think ? > >> > >> +1 > >> > >> I don't think this should block the framework patches that are on list > >> now, though. I'll file a RFE for tuning how the default and "type" > >> permissions look. Would that be fine? > > > > Do we need a new attribute, or do you think we can do this without > > changing the schema ? > > Ah, yes. Please reserve ipaPermTargetAttrFilter. > (ipaPermTargetFilter is already reserved)
Use: 2.16.840.1.113730.3.8.11.50 Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel