On 05/19/2014 03:27 PM, Petr Viktorin wrote: > On 05/16/2014 02:00 PM, Martin Kosek wrote: >> On 04/29/2014 11:02 PM, Petr Viktorin wrote: >>> I didn't test this as much as I'd like to, but it might come in handy when >>> testing my earlier patches. >>> >>> The ACI is removed in the managed permissions plugin because I want to make >>> sure it's done after all the managed permission updates, which query it. >> >> It worked in my case (I tested upgrade from 3.3.5). What do we do about other >> permissions we will want to remove? I am talking about following ACIs: >> >> - no anonymous access to roles >> - no anonymous access to sudo >> - no anonymous access to hbac >> - no anonymous access to member information >> >> I would like to remove them in 544 as well as otherwise they would bias the >> testing. > > Right. Here is the updated patch.
I tested upgrade from 3.3.5 to 4.0 and in SUFFIX I still had some of the ACIs left: (targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=mkosek-fedora20,dc=test")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";) (targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=mkosek-fedora20,dc=test")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";) The problem is that you used your testing suffix instead of suffix variable. Martin _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel