On 04/08/2014 11:03 AM, Petr Viktorin wrote: > On 04/07/2014 01:30 PM, Martin Kosek wrote: >> On 04/03/2014 12:09 PM, Petr Viktorin wrote: >>> Hello, >>> This adds read permissions to read Sudo commands, command groups, rules. >>> >>> Read access is given to all authenticated users. >> >> Looks good. What about "ou=sudoers"? I think we should also allow it in this >> patch for authenticated users. This is the tree that clients use to read >> sudo. > > This new version does that. It needs my patches 0508-0509 since the ou=sudoers > permission is not tied to a specific Object plugin. >
I would also allow 'ou', otherwise an authenticated user cannot read the ou=sudoers RDN. I will comment on NONOBJECT_PERMISSIONS in the other thread. Martin _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel