[Freeipa-devel] [PATCH] 034 Entitlements ACIs not visible to Permission plugin
This patch fixes Entitlements privileges and ACIs. There were missing descriptions or the ACIs could not be processed by Permissino plugin because of missing prefix. https://fedorahosted.org/freeipa/ticket/997 From 2b088549da0b3c8beb4451d09e337b1dfa8ee9ce Mon Sep 17 00:00:00 2001 From: Martin Kosek mko...@redhat.com Date: Tue, 22 Feb 2011 15:25:43 +0100 Subject: [PATCH] Entitlements ACIs not visible to Permission plugin This patch fixes Entitlements privileges and ACIs. There were missing descriptions or the ACIs could not be processed by Permissino plugin because of missing prefix. https://fedorahosted.org/freeipa/ticket/997 --- install/share/delegation.ldif |9 ++--- 1 files changed, 6 insertions(+), 3 deletions(-) diff --git a/install/share/delegation.ldif b/install/share/delegation.ldif index 02dc850af1634483ad289eac261263db92157d11..5d4949ae37a33eabb9646b181e41923c5811275f 100644 --- a/install/share/delegation.ldif +++ b/install/share/delegation.ldif @@ -152,6 +152,7 @@ objectClass: top objectClass: groupofnames objectClass: nestedgroup cn: Register and Write Entitlements +description: Register and Write Entitlements member: cn=Entitlement Management,cn=roles,cn=accounts,$SUFFIX dn: cn=Read Entitlements,cn=privileges,cn=pbac,$SUFFIX @@ -160,6 +161,7 @@ objectClass: top objectClass: groupofnames objectClass: nestedgroup cn: Read Entitlements +description: Read Entitlements member: cn=Entitlement Management,cn=roles,cn=accounts,$SUFFIX member: cn=Entitlement Compliance,cn=roles,cn=accounts,$SUFFIX @@ -518,6 +520,7 @@ changetype: add objectClass: top objectClass: groupofnames objectClass: ipapermission +cn: Register Entitlements member: cn=Register and Write Entitlements,cn=privileges,cn=pbac,$SUFFIX dn: cn=Read Entitlements,cn=permissions,cn=pbac,$SUFFIX @@ -656,17 +659,17 @@ aci: (targetattr = enrolledby || objectclass)(target = ldap:///fqdn=*,cn=comp dn: $SUFFIX changetype: modify add: aci -aci: (target = ldap:///ipaentitlementid=*,cn=entitlements,cn=etc,$SUFFIX;)(version 3.0;acl Register Entitlements;allow (add) groupdn = ldap:///cn=Register Entitlements,cn=permissions,cn=pbac,$SUFFIX;) +aci: (target = ldap:///ipaentitlementid=*,cn=entitlements,cn=etc,$SUFFIX;)(version 3.0;acl permission:Register Entitlements;allow (add) groupdn = ldap:///cn=Register Entitlements,cn=permissions,cn=pbac,$SUFFIX;) dn: $SUFFIX changetype: modify add: aci -aci: (targetattr = usercertificate)(target = ldap:///ipaentitlement=*,cn=entitlements,cn=etc,$SUFFIX;)(version 3.0;acl Write Entitlements;allow (write) groupdn = ldap:///cn=Write entitlements,cn=permissions,cn=pbac,$SUFFIX;) +aci: (targetattr = usercertificate)(target = ldap:///ipaentitlement=*,cn=entitlements,cn=etc,$SUFFIX;)(version 3.0;acl permission:Write Entitlements;allow (write) groupdn = ldap:///cn=Write Entitlements,cn=permissions,cn=pbac,$SUFFIX;) dn: $SUFFIX changetype: modify add: aci -aci: (targetattr = userpkcs12)(target = ldap:///ipaentitlementid=*,cn=entitlements,cn=etc,$SUFFIX;)(version 3.0;acl Read Entitlements;allow (read) groupdn = ldap:///cn=Read Entitlements,cn=permissions,cn=pbac,$SUFFIX;) +aci: (targetattr = userpkcs12)(target = ldap:///ipaentitlementid=*,cn=entitlements,cn=etc,$SUFFIX;)(version 3.0;acl permission:Read Entitlements;allow (read) groupdn = ldap:///cn=Read Entitlements,cn=permissions,cn=pbac,$SUFFIX;) # Create virtual operations entry. This is used to control access to # operations that don't rely on LDAP directly. -- 1.7.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 034 Entitlements ACIs not visible to Permission plugin
On Tue, 2011-02-22 at 15:46 +0100, Martin Kosek wrote: This patch fixes Entitlements privileges and ACIs. There were missing descriptions or the ACIs could not be processed by Permissino plugin because of missing prefix. https://fedorahosted.org/freeipa/ticket/997 I just want to add that this patch is built on a top of Rob's patch 728 default roles. Attached a patch with fixed typo in commit message. Martin From 6d6acc6f622b473922458bff4c42ab73b0c1d78e Mon Sep 17 00:00:00 2001 From: Martin Kosek mko...@redhat.com Date: Tue, 22 Feb 2011 15:25:43 +0100 Subject: [PATCH] Entitlements ACIs not visible to Permission plugin This patch fixes Entitlements privileges and ACIs. There were missing descriptions or the ACIs could not be processed by Permission plugin because of missing prefix. https://fedorahosted.org/freeipa/ticket/997 --- install/share/delegation.ldif |9 ++--- 1 files changed, 6 insertions(+), 3 deletions(-) diff --git a/install/share/delegation.ldif b/install/share/delegation.ldif index 02dc850af1634483ad289eac261263db92157d11..5d4949ae37a33eabb9646b181e41923c5811275f 100644 --- a/install/share/delegation.ldif +++ b/install/share/delegation.ldif @@ -152,6 +152,7 @@ objectClass: top objectClass: groupofnames objectClass: nestedgroup cn: Register and Write Entitlements +description: Register and Write Entitlements member: cn=Entitlement Management,cn=roles,cn=accounts,$SUFFIX dn: cn=Read Entitlements,cn=privileges,cn=pbac,$SUFFIX @@ -160,6 +161,7 @@ objectClass: top objectClass: groupofnames objectClass: nestedgroup cn: Read Entitlements +description: Read Entitlements member: cn=Entitlement Management,cn=roles,cn=accounts,$SUFFIX member: cn=Entitlement Compliance,cn=roles,cn=accounts,$SUFFIX @@ -518,6 +520,7 @@ changetype: add objectClass: top objectClass: groupofnames objectClass: ipapermission +cn: Register Entitlements member: cn=Register and Write Entitlements,cn=privileges,cn=pbac,$SUFFIX dn: cn=Read Entitlements,cn=permissions,cn=pbac,$SUFFIX @@ -656,17 +659,17 @@ aci: (targetattr = enrolledby || objectclass)(target = ldap:///fqdn=*,cn=comp dn: $SUFFIX changetype: modify add: aci -aci: (target = ldap:///ipaentitlementid=*,cn=entitlements,cn=etc,$SUFFIX;)(version 3.0;acl Register Entitlements;allow (add) groupdn = ldap:///cn=Register Entitlements,cn=permissions,cn=pbac,$SUFFIX;) +aci: (target = ldap:///ipaentitlementid=*,cn=entitlements,cn=etc,$SUFFIX;)(version 3.0;acl permission:Register Entitlements;allow (add) groupdn = ldap:///cn=Register Entitlements,cn=permissions,cn=pbac,$SUFFIX;) dn: $SUFFIX changetype: modify add: aci -aci: (targetattr = usercertificate)(target = ldap:///ipaentitlement=*,cn=entitlements,cn=etc,$SUFFIX;)(version 3.0;acl Write Entitlements;allow (write) groupdn = ldap:///cn=Write entitlements,cn=permissions,cn=pbac,$SUFFIX;) +aci: (targetattr = usercertificate)(target = ldap:///ipaentitlement=*,cn=entitlements,cn=etc,$SUFFIX;)(version 3.0;acl permission:Write Entitlements;allow (write) groupdn = ldap:///cn=Write Entitlements,cn=permissions,cn=pbac,$SUFFIX;) dn: $SUFFIX changetype: modify add: aci -aci: (targetattr = userpkcs12)(target = ldap:///ipaentitlementid=*,cn=entitlements,cn=etc,$SUFFIX;)(version 3.0;acl Read Entitlements;allow (read) groupdn = ldap:///cn=Read Entitlements,cn=permissions,cn=pbac,$SUFFIX;) +aci: (targetattr = userpkcs12)(target = ldap:///ipaentitlementid=*,cn=entitlements,cn=etc,$SUFFIX;)(version 3.0;acl permission:Read Entitlements;allow (read) groupdn = ldap:///cn=Read Entitlements,cn=permissions,cn=pbac,$SUFFIX;) # Create virtual operations entry. This is used to control access to # operations that don't rely on LDAP directly. -- 1.7.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 034 Entitlements ACIs not visible to Permission plugin
Martin Kosek wrote: This patch fixes Entitlements privileges and ACIs. There were missing descriptions or the ACIs could not be processed by Permissino plugin because of missing prefix. https://fedorahosted.org/freeipa/ticket/997 ack, pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel