[Freeipa-devel] [PATCH] better access control and other minor things
Rob Crittenden
rcritten at redhat.com
Wed Dec 12 14:48:15 UTC 2007
Simo Sorce wrote:
> please check, although I have tested this with CLI and saw no side
> effects, I have slightly restricted access that was previously
> erroneously granted.
Just a couple of things:
+aci: (targetfilter =
"(|(objectClass=person)(objectClass=krbPrincipalAux)(objectClass=posixAccount)(objectClass=groupOfNames)(objectClass=posixGroup)(objectClass=radiusprofile))")(targetattr
!= "aci || userPassword || krbPrincipalKey || sambaLMPassword ||
sambaNTPassword || passwordHistory")(version 3.0; acl "Account Admins
can manage Users and Groups"; allow (add, delete, read, write) groupdn =
"ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
Should this have an & before the attributes? Is this saying admins can
manage these objectclasses OR anything without these attributes?
For the CalledProcessError we have ipautil in there explicitly so
someone doesn't think it is coming from subprocess. I wonder if we
should simply rename the function to avoid confusion instead.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071212/1fcec488/attachment.bin>
More information about the Freeipa-devel
mailing list