[Freeipa-devel] Design Review Keytab Retrieval
Nathaniel McCallum
npmccallum at redhat.com
Thu Jun 26 02:29:32 UTC 2014
On Mon, 2014-06-23 at 17:24 -0400, Nathaniel McCallum wrote:
> On Mon, 2014-06-23 at 14:35 -0400, Simo Sorce wrote:
> > ----- Original Message -----
> > > ----- Original Message -----
> > > > > Can you check if ipaProtectedOperation is in the aci attribute in the
> > > > > base tree object ?
> > > > > It should be there as excluded, and that should cause admin to not be
> > > > > able to retrieve keytabs.
> > > >
> > > > It was not. While running ipa-ldap-updater I got the following:
> > > > InvalidSyntax: ACL Syntax Error(-5):(targetattr=
> > > > \22ipaProtectedOperation;write_keys\22)(version 3.0; acl \22Admins are
> > > > allowed to rekey any entity\22; allow(write) groupdn =
> > > > \22ldap:///cn=admins: Invalid syntax.
> > >
> > > Uhmm I do not see anything obviously wrong with ACI instruction, it looks
> > > just like the one I replace, Ideas ?
> > > Do you have ipaProtectedOperation in the schema ?
> > >
> > > (I rebased patch 3 but will wait to send a patchset until we understand (and
> > > fix) why this is failing to update.
> >
> > Ok, apparently it was a quoting issue in the .update files, hopefully that's
> > the only issue (I am at a conference today and do not have my test env. handy).
> >
> > The attached patches are rebased on the latest master.
>
> 0001: Line 555 has very wrong indentation.
>
> I don't see anything else wrong in the other patches. I've tested
> everything and it works as designed.
>
> I have CC'd everyone who was involved with review at any point on these
> patches. This serves as my public notice that I'd like to ACK the next
> round of patches. If anyone has anything else to add, please do it
> before tomorrow evening. Thanks!
>
> Nathaniel
ACK
Nathaniel
More information about the Freeipa-devel
mailing list