[Freeipa-devel] [PATCH 0032] Update ACIs to permit users to add/delete their own tokens
Simo Sorce
simo at redhat.com
Thu Jan 9 22:37:23 UTC 2014
On Thu, 2014-01-09 at 16:32 -0500, Nathaniel McCallum wrote:
> This patch is independent from my patches 0028-0031 and can be merged in
> any order.
>
> This patch has a bug, but I can't figure it out. We need to set
> nsslapd-access-userattr-strict on cn=config to "off".
Uhmm what is the effect on ACL evaluation of changing this boolean ?
I can;t figure out from your commit not from 389ds commit what exactly
changes and how it impacts the security of the directory.
I ask because I was planning on using userattr to protect some
operations in the password plugin but was waiting due to bug:
https://fedorahosted.org/389/ticket/47571 which is beeing resolved.
I want to make sure your change won't change what this ACIs would allow.
Is this option simply allowing the use of add/delete ACIs to be
specified in conjunction with userattr, so that a user can add an attr
only if it contains its own DN ?
Will it allow the user to add multiple values to the same attr as long
as one of the is the userDN ? O will it restrict that case ?
(I know that ipaTokenOwner is a single-value attribute, but the
mechanism you are enabling here is general, and I want to be sure of
what the semantics are)
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list