Re: [Freeipa-devel] [PATCH] 0544 Remove the global anonymous read ACI

2014-05-26 Thread Petr Viktorin 

On 05/23/2014 02:26 PM, Martin Kosek wrote:

On 05/22/2014 04:03 PM, Petr Viktorin wrote:

On 05/21/2014 08:08 AM, Martin Kosek wrote:

On 05/19/2014 03:27 PM, Petr Viktorin wrote:

On 05/16/2014 02:00 PM, Martin Kosek wrote:

On 04/29/2014 11:02 PM, Petr Viktorin wrote:

I didn't test this as much as I'd like to, but it might come in handy when
testing my earlier patches.

The ACI is removed in the managed permissions plugin because I want to make
sure it's done after all the managed permission updates, which query it.


It worked in my case (I tested upgrade from 3.3.5). What do we do about other
permissions we will want to remove? I am talking about following ACIs:

- no anonymous access to roles
- no anonymous access to sudo
- no anonymous access to hbac
- no anonymous access to member information

I would like to remove them in 544 as well as otherwise they would bias the
testing.


Right. Here is the updated patch.


I tested upgrade from 3.3.5 to 4.0 and in SUFFIX I still had some of the ACIs
left:

(targetattr = "*")(target =
"ldap:///cn=*,cn=roles,cn=accounts,dc=mkosek-fedora20,dc=test";)(version 3.0;
acl "No anonymous access to roles"; deny (read,search,compare) userdn !=
"ldap:///all";;)

(targetattr = "*")(target =
"ldap:///cn=*,ou=SUDOers,dc=mkosek-fedora20,dc=test";)(version 3.0; acl "No
anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";;)

The problem is that you used your testing suffix instead of suffix variable.


Shame on me. I've updated & rebased the patch.

I've also made a git hook yell at me when I commit something containing "BRQ",
hopefully this won't happen again.


Would it make sense to publish your FreeIPA git hooks somewhere on
http://www.freeipa.org/page/Contribute/Code or your github and link it? I think
it already contains couple gems that may help other people prevent basic errors
like this one.


Sure, I'll document it a bit and publish.


Otherwise, the patch worked fine - ACK!

I would like it to be pushed as soon as user ACI patch is pushed so that we
have some time to find issues.


Thanks!
Pushed to master: 193ced0bd7a9a26e7b25f08b023ee21302acaac7


--
Petr³

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 0544 Remove the global anonymous read ACI

2014-05-23 Thread Martin Kosek 
On 05/22/2014 04:03 PM, Petr Viktorin wrote:
> On 05/21/2014 08:08 AM, Martin Kosek wrote:
>> On 05/19/2014 03:27 PM, Petr Viktorin wrote:
>>> On 05/16/2014 02:00 PM, Martin Kosek wrote:
 On 04/29/2014 11:02 PM, Petr Viktorin wrote:
> I didn't test this as much as I'd like to, but it might come in handy when
> testing my earlier patches.
>
> The ACI is removed in the managed permissions plugin because I want to 
> make
> sure it's done after all the managed permission updates, which query it.

 It worked in my case (I tested upgrade from 3.3.5). What do we do about 
 other
 permissions we will want to remove? I am talking about following ACIs:

 - no anonymous access to roles
 - no anonymous access to sudo
 - no anonymous access to hbac
 - no anonymous access to member information

 I would like to remove them in 544 as well as otherwise they would bias the
 testing.
>>>
>>> Right. Here is the updated patch.
>>
>> I tested upgrade from 3.3.5 to 4.0 and in SUFFIX I still had some of the ACIs
>> left:
>>
>> (targetattr = "*")(target =
>> "ldap:///cn=*,cn=roles,cn=accounts,dc=mkosek-fedora20,dc=test";)(version 3.0;
>> acl "No anonymous access to roles"; deny (read,search,compare) userdn !=
>> "ldap:///all";;)
>>
>> (targetattr = "*")(target =
>> "ldap:///cn=*,ou=SUDOers,dc=mkosek-fedora20,dc=test";)(version 3.0; acl "No
>> anonymous access to sudo"; deny (read,search,compare) userdn != 
>> "ldap:///all";;)
>>
>> The problem is that you used your testing suffix instead of suffix variable.
> 
> Shame on me. I've updated & rebased the patch.
> 
> I've also made a git hook yell at me when I commit something containing "BRQ",
> hopefully this won't happen again.

Would it make sense to publish your FreeIPA git hooks somewhere on
http://www.freeipa.org/page/Contribute/Code or your github and link it? I think
it already contains couple gems that may help other people prevent basic errors
like this one.

Otherwise, the patch worked fine - ACK!

I would like it to be pushed as soon as user ACI patch is pushed so that we
have some time to find issues.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 0544 Remove the global anonymous read ACI

2014-05-22 Thread Petr Viktorin 

On 05/21/2014 08:08 AM, Martin Kosek wrote:

On 05/19/2014 03:27 PM, Petr Viktorin wrote:

On 05/16/2014 02:00 PM, Martin Kosek wrote:

On 04/29/2014 11:02 PM, Petr Viktorin wrote:

I didn't test this as much as I'd like to, but it might come in handy when
testing my earlier patches.

The ACI is removed in the managed permissions plugin because I want to make
sure it's done after all the managed permission updates, which query it.


It worked in my case (I tested upgrade from 3.3.5). What do we do about other
permissions we will want to remove? I am talking about following ACIs:

- no anonymous access to roles
- no anonymous access to sudo
- no anonymous access to hbac
- no anonymous access to member information

I would like to remove them in 544 as well as otherwise they would bias the
testing.


Right. Here is the updated patch.


I tested upgrade from 3.3.5 to 4.0 and in SUFFIX I still had some of the ACIs 
left:

(targetattr = "*")(target =
"ldap:///cn=*,cn=roles,cn=accounts,dc=mkosek-fedora20,dc=test";)(version 3.0;
acl "No anonymous access to roles"; deny (read,search,compare) userdn !=
"ldap:///all";;)

(targetattr = "*")(target =
"ldap:///cn=*,ou=SUDOers,dc=mkosek-fedora20,dc=test";)(version 3.0; acl "No
anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";;)

The problem is that you used your testing suffix instead of suffix variable.


Shame on me. I've updated & rebased the patch.

I've also made a git hook yell at me when I commit something containing 
"BRQ", hopefully this won't happen again.


--
Petr³

From 0802e5ae783703c6f1d05ac3f961e41233884a10 Mon Sep 17 00:00:00 2001
From: Petr Viktorin 
Date: Tue, 29 Apr 2014 21:46:26 +0200
Subject: [PATCH] Remove the global anonymous read ACI
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Also remove
- the deny ACIs that implemented exceptions to it:
  - no anonymous access to roles
  - no anonymous access to member information
  - no anonymous access to hbac
  - no anonymous access to sudo (2×)
- its updater plugin

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
---
 install/share/default-aci.ldif | 13 ---
 install/share/delegation.ldif  |  5 --
 install/updates/20-aci.update  | 11 +++
 install/updates/60-trusts.update   |  1 -
 ipaserver/install/plugins/update_anonymous_aci.py  | 96 --
 .../install/plugins/update_managed_permissions.py  | 19 +
 6 files changed, 30 insertions(+), 115 deletions(-)
 delete mode 100644 ipaserver/install/plugins/update_anonymous_aci.py

diff --git a/install/share/default-aci.ldif b/install/share/default-aci.ldif
index 480facf3294c593c6a2bcf326e20c32157d6d3c6..04fc185f785ee71246c6cc4f958c754158f16302 100644
--- a/install/share/default-aci.ldif
+++ b/install/share/default-aci.ldif
@@ -3,10 +3,7 @@
 dn: $SUFFIX
 changetype: modify
 add: aci
-aci: (targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenHOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,$SUFFIX";)(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";;)
-aci: (targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";;)
 aci: (targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";;)
-aci: (targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,$SUFFIX";)(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";;)
 
 dn: $SUFFIX
 changetype: modify
@@ -65,16 +62,6 @@ dn: cn=computers,cn=accounts,$SUFFIX
 add: aci
 aci: (targetattr = "krbPrincipalKey || krbLastPwdChange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX";)(version 3.0;acl "Admins can manage host keytab";allow (write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";;)
 
-dn: cn=hbac,$SUFFIX
-changetype: modify
-add: aci
-aci: (targetattr = "*")(version 3.0; acl "No anonymous access to hbac"; deny (read,search,compare) userdn != "ldap:///all";;)
-
-dn: cn=sudo,$SUFFIX
-changetype: modify
-add: aci
-aci: (targetattr = "*")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";;)
-
 # This is used for the host/service one-time passwordn and keytab indirectors.
 # We can do a query on a DN to see if an attribute exists.
 dn: cn=accounts,$SUFFIX
diff --git a/install/share/delegation.ldif b/install/share/delegation.ldif
index 7bd4e1e2d93b1dde4122ad1bfbe889625d983

Re: [Freeipa-devel] [PATCH] 0544 Remove the global anonymous read ACI

2014-05-20 Thread Martin Kosek 
On 05/19/2014 03:27 PM, Petr Viktorin wrote:
> On 05/16/2014 02:00 PM, Martin Kosek wrote:
>> On 04/29/2014 11:02 PM, Petr Viktorin wrote:
>>> I didn't test this as much as I'd like to, but it might come in handy when
>>> testing my earlier patches.
>>>
>>> The ACI is removed in the managed permissions plugin because I want to make
>>> sure it's done after all the managed permission updates, which query it.
>>
>> It worked in my case (I tested upgrade from 3.3.5). What do we do about other
>> permissions we will want to remove? I am talking about following ACIs:
>>
>> - no anonymous access to roles
>> - no anonymous access to sudo
>> - no anonymous access to hbac
>> - no anonymous access to member information
>>
>> I would like to remove them in 544 as well as otherwise they would bias the
>> testing.
> 
> Right. Here is the updated patch.

I tested upgrade from 3.3.5 to 4.0 and in SUFFIX I still had some of the ACIs 
left:

(targetattr = "*")(target =
"ldap:///cn=*,cn=roles,cn=accounts,dc=mkosek-fedora20,dc=test";)(version 3.0;
acl "No anonymous access to roles"; deny (read,search,compare) userdn !=
"ldap:///all";;)

(targetattr = "*")(target =
"ldap:///cn=*,ou=SUDOers,dc=mkosek-fedora20,dc=test";)(version 3.0; acl "No
anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";;)

The problem is that you used your testing suffix instead of suffix variable.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 0544 Remove the global anonymous read ACI

2014-05-19 Thread Petr Viktorin 

On 05/16/2014 02:00 PM, Martin Kosek wrote:

On 04/29/2014 11:02 PM, Petr Viktorin wrote:

I didn't test this as much as I'd like to, but it might come in handy when
testing my earlier patches.

The ACI is removed in the managed permissions plugin because I want to make
sure it's done after all the managed permission updates, which query it.


It worked in my case (I tested upgrade from 3.3.5). What do we do about other
permissions we will want to remove? I am talking about following ACIs:

- no anonymous access to roles
- no anonymous access to sudo
- no anonymous access to hbac
- no anonymous access to member information

I would like to remove them in 544 as well as otherwise they would bias the
testing.


Right. Here is the updated patch.


--
Petr³
From 316605f6aa5f487b2845bc3abc3d9e029b60bd0a Mon Sep 17 00:00:00 2001
From: Petr Viktorin 
Date: Tue, 29 Apr 2014 21:46:26 +0200
Subject: [PATCH] Remove the global anonymous read ACI
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Also remove
- the deny ACIs that implemented exceptions to it:
  - no anonymous access to roles
  - no anonymous access to member information
  - no anonymous access to hbac
  - no anonymous access to sudo (2×)
- its updater plugin

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
---
 install/share/default-aci.ldif | 13 ---
 install/share/delegation.ldif  |  5 --
 install/updates/20-aci.update  | 13 +++
 install/updates/60-trusts.update   |  1 -
 ipaserver/install/plugins/update_anonymous_aci.py  | 96 --
 .../install/plugins/update_managed_permissions.py  | 19 +
 6 files changed, 32 insertions(+), 115 deletions(-)
 delete mode 100644 ipaserver/install/plugins/update_anonymous_aci.py

diff --git a/install/share/default-aci.ldif b/install/share/default-aci.ldif
index 480facf3294c593c6a2bcf326e20c32157d6d3c6..04fc185f785ee71246c6cc4f958c754158f16302 100644
--- a/install/share/default-aci.ldif
+++ b/install/share/default-aci.ldif
@@ -3,10 +3,7 @@
 dn: $SUFFIX
 changetype: modify
 add: aci
-aci: (targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenHOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,$SUFFIX";)(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";;)
-aci: (targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";;)
 aci: (targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";;)
-aci: (targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,$SUFFIX";)(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";;)
 
 dn: $SUFFIX
 changetype: modify
@@ -65,16 +62,6 @@ dn: cn=computers,cn=accounts,$SUFFIX
 add: aci
 aci: (targetattr = "krbPrincipalKey || krbLastPwdChange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX";)(version 3.0;acl "Admins can manage host keytab";allow (write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";;)
 
-dn: cn=hbac,$SUFFIX
-changetype: modify
-add: aci
-aci: (targetattr = "*")(version 3.0; acl "No anonymous access to hbac"; deny (read,search,compare) userdn != "ldap:///all";;)
-
-dn: cn=sudo,$SUFFIX
-changetype: modify
-add: aci
-aci: (targetattr = "*")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";;)
-
 # This is used for the host/service one-time passwordn and keytab indirectors.
 # We can do a query on a DN to see if an attribute exists.
 dn: cn=accounts,$SUFFIX
diff --git a/install/share/delegation.ldif b/install/share/delegation.ldif
index 7bd4e1e2d93b1dde4122ad1bfbe889625d983544..43d13974ffd63ea6ee554c815b911715609149b8 100644
--- a/install/share/delegation.ldif
+++ b/install/share/delegation.ldif
@@ -580,11 +580,6 @@ dn: $SUFFIX
 dn: $SUFFIX
 changetype: modify
 add: aci
-aci: (targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX";)(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";;)
-
-dn: $SUFFIX
-changetype: modify
-add: aci
 aci: (target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,$SUFFIX";)
 aci: (target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,$SUFFIX";)
 aci: (ta

Re: [Freeipa-devel] [PATCH] 0544 Remove the global anonymous read ACI

2014-05-16 Thread Martin Kosek 
On 04/29/2014 11:02 PM, Petr Viktorin wrote:
> I didn't test this as much as I'd like to, but it might come in handy when
> testing my earlier patches.
> 
> The ACI is removed in the managed permissions plugin because I want to make
> sure it's done after all the managed permission updates, which query it.

It worked in my case (I tested upgrade from 3.3.5). What do we do about other
permissions we will want to remove? I am talking about following ACIs:

- no anonymous access to roles
- no anonymous access to sudo
- no anonymous access to hbac
- no anonymous access to member information

I would like to remove them in 544 as well as otherwise they would bias the
testing.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 0544 Remove the global anonymous read ACI

2014-04-29 Thread Petr Viktorin 
I didn't test this as much as I'd like to, but it might come in handy 
when testing my earlier patches.


The ACI is removed in the managed permissions plugin because I want to 
make sure it's done after all the managed permission updates, which 
query it.


--
Petr³
From 5d1bdbf5b84cb4dc286b72274edfc03d9158dc20 Mon Sep 17 00:00:00 2001
From: Petr Viktorin 
Date: Tue, 29 Apr 2014 21:46:26 +0200
Subject: [PATCH] Remove the global anonymous read ACI

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
---
 install/share/default-aci.ldif |  1 -
 install/updates/60-trusts.update   |  1 -
 ipaserver/install/plugins/update_anonymous_aci.py  | 96 --
 .../install/plugins/update_managed_permissions.py  | 19 +
 4 files changed, 19 insertions(+), 98 deletions(-)
 delete mode 100644 ipaserver/install/plugins/update_anonymous_aci.py

diff --git a/install/share/default-aci.ldif b/install/share/default-aci.ldif
index 480facf3294c593c6a2bcf326e20c32157d6d3c6..78a1b1f40cdff3e216bdb3d6b3d22e22d49e29aa 100644
--- a/install/share/default-aci.ldif
+++ b/install/share/default-aci.ldif
@@ -3,7 +3,6 @@
 dn: $SUFFIX
 changetype: modify
 add: aci
-aci: (targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenHOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,$SUFFIX";)(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";;)
 aci: (targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";;)
 aci: (targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";;)
 aci: (targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,$SUFFIX";)(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";;)
diff --git a/install/updates/60-trusts.update b/install/updates/60-trusts.update
index 77c2104ffa62462634438f7b729cdfd71cd27eb3..371bf656fcdea6b7ec54aeb42c5afd25ef1b90f9 100644
--- a/install/updates/60-trusts.update
+++ b/install/updates/60-trusts.update
@@ -34,7 +34,6 @@ dn: cn=trusts,$SUFFIX
 dn: $SUFFIX
 add:aci: '(targetattr = "ipaNTHash")(version 3.0; acl "Samba system principals can read and write NT passwords"; allow (read,write) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)'
 remove:aci: '(targetattr = "ipaNTHash")(version 3.0; acl "Samba system principals can read NT passwords"; allow (read) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)'
-replace:aci:'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";;)::(target != "ldap:///idnsname=*,cn=dns,$SUFFIX";)(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";;)'
 
 # Add the default PAC type to configuration
 dn: cn=ipaConfig,cn=etc,$SUFFIX
diff --git a/ipaserver/install/plugins/update_anonymous_aci.py b/ipaserver/install/plugins/update_anonymous_aci.py
deleted file mode 100644
index 943b2457774c964fa66d97496bb66ef1f4e80f1c..
--- a/ipaserver/install/plugins/update_anonymous_aci.py
+++ /dev/null
@@ -1,96 +0,0 @@
-# Authors:
-#   Rob Crittenden 
-#
-# Copyright (C) 2013  Red Hat
-# see file 'COPYING' for use and warranty information
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see .
-
-from copy import deepcopy
-from ipaserver.install.plugins import FIRST, LAST
-from ipaserver.install.plugins.baseupdate import PostUpdate
-from ipalib import api, errors
-from ipalib.aci import ACI
-from ipalib.plugins import aci
-from ipapython.ipa_log_manager import *
-
-class update_anonymous_aci(PostUpdate):
-"""
-