Martin Kosek wrote: > On 09/18/2014 04:06 PM, David Kupka wrote: >> On 09/18/2014 03:44 PM, Rob Crittenden wrote: >>> David Kupka wrote: >>>> https://fedorahosted.org/freeipa/ticket/4421 >>> >>> You are removing an ACI in this patch. It is always possible it is no >>> longer needed. Did you test all the client enrollment scenarios? >>> >>> rob >>> >> >> As far as I'm aware I'm not removing any ACI. I'm modifying ACI so it is >> possible to add krbPrincipalName to host even when there is already one (or >> more). And adding one ACI to allow writing krbCanonicalName to host. >> But I'm still not really familiar with ACI so please correct me if I'm wrong. >> > > What refers to is probably the update in ACI.txt - the ACI alternative to > API.txt. David updated an ACI, not removed it. > > On that note, what is the reason for this permission change: > > - 'ipapermtargetfilter': [ > - '(objectclass=ipahost)', > - '(!(krbprincipalname=*))', > - ], > > ?
Yes, this is exactly the change I was referring to. Permission changes within a plugin now translate automatically to ACI changes. Sorry I wasn't clearer. This ACI gets replaced with a much simpler one and I'm not 100% sure it will work with all enrollments: -aci: (targetattr = "krbprincipalname")(targetfilter = "(&(!(krbprincipalname=*))(objectclass=ipahost))")(version 3.0;acl "permission:System: Add krbPrincipalName to a Host";allow (write) groupdn = "ldap:///cn=System: Add krbPrincipalName to a Host,cn=permissions,cn=pbac,dc=ipa,dc=example";) +aci: (targetattr = "krbprincipalname")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Add krbPrincipalName to a Host";allow (write) groupdn = "ldap:///cn=System: Add krbPrincipalName to a Host,cn=permissions,cn=pbac,dc=ipa,dc=example";) The first one restricts writing the attribute only if it isn't already set. The second lets it be changed unconditionally. rob _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel