On 05/22/2014 04:03 PM, Petr Viktorin wrote: > On 05/21/2014 08:08 AM, Martin Kosek wrote: >> On 05/19/2014 03:27 PM, Petr Viktorin wrote: >>> On 05/16/2014 02:00 PM, Martin Kosek wrote: >>>> On 04/29/2014 11:02 PM, Petr Viktorin wrote: >>>>> I didn't test this as much as I'd like to, but it might come in handy when >>>>> testing my earlier patches. >>>>> >>>>> The ACI is removed in the managed permissions plugin because I want to >>>>> make >>>>> sure it's done after all the managed permission updates, which query it. >>>> >>>> It worked in my case (I tested upgrade from 3.3.5). What do we do about >>>> other >>>> permissions we will want to remove? I am talking about following ACIs: >>>> >>>> - no anonymous access to roles >>>> - no anonymous access to sudo >>>> - no anonymous access to hbac >>>> - no anonymous access to member information >>>> >>>> I would like to remove them in 544 as well as otherwise they would bias the >>>> testing. >>> >>> Right. Here is the updated patch. >> >> I tested upgrade from 3.3.5 to 4.0 and in SUFFIX I still had some of the ACIs >> left: >> >> (targetattr = "*")(target = >> "ldap:///cn=*,cn=roles,cn=accounts,dc=mkosek-fedora20,dc=test")(version 3.0; >> acl "No anonymous access to roles"; deny (read,search,compare) userdn != >> "ldap:///all";) >> >> (targetattr = "*")(target = >> "ldap:///cn=*,ou=SUDOers,dc=mkosek-fedora20,dc=test")(version 3.0; acl "No >> anonymous access to sudo"; deny (read,search,compare) userdn != >> "ldap:///all";) >> >> The problem is that you used your testing suffix instead of suffix variable. > > Shame on me. I've updated & rebased the patch. > > I've also made a git hook yell at me when I commit something containing "BRQ", > hopefully this won't happen again.
Would it make sense to publish your FreeIPA git hooks somewhere on http://www.freeipa.org/page/Contribute/Code or your github and link it? I think it already contains couple gems that may help other people prevent basic errors like this one. Otherwise, the patch worked fine - ACK! I would like it to be pushed as soon as user ACI patch is pushed so that we have some time to find issues. Martin _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel