[Freeipa-devel] Design Review Keytab Retrieval

Nathaniel McCallum npmccallum at redhat.com
Mon Jun 23 21:24:02 UTC 2014


On Mon, 2014-06-23 at 14:35 -0400, Simo Sorce wrote:
> ----- Original Message -----
> > ----- Original Message -----
> > > > Can you check if ipaProtectedOperation is in the aci attribute in the
> > > > base tree object ?
> > > > It should be there as excluded, and that should cause admin to not be
> > > > able to retrieve keytabs.
> > > 
> > > It was not. While running ipa-ldap-updater I got the following:
> > > InvalidSyntax: ACL Syntax Error(-5):(targetattr=
> > > \22ipaProtectedOperation;write_keys\22)(version 3.0; acl \22Admins are
> > > allowed to rekey any entity\22; allow(write) groupdn =
> > > \22ldap:///cn=admins: Invalid syntax.
> > 
> > Uhmm I do not see anything obviously wrong with ACI instruction, it looks
> > just like the one I replace, Ideas ?
> > Do you have ipaProtectedOperation in the schema ?
> > 
> > (I rebased patch 3 but will wait to send a patchset until we understand (and
> > fix) why this is failing to update.
> 
> Ok, apparently it was a quoting issue in the .update files, hopefully that's
> the only issue (I am at a conference today and do not have my test env. handy).
> 
> The attached patches are rebased on the latest master.

0001: Line 555 has very wrong indentation.

I don't see anything else wrong in the other patches. I've tested
everything and it works as designed.

I have CC'd everyone who was involved with review at any point on these
patches. This serves as my public notice that I'd like to ACK the next
round of patches. If anyone has anything else to add, please do it
before tomorrow evening. Thanks!

Nathaniel





More information about the Freeipa-devel mailing list