[Freeipa-devel] Design Review Keytab Retrieval

Simo Sorce simo at redhat.com
Thu Jun 26 17:51:35 UTC 2014 

On Thu, 2014-06-26 at 10:37 +0200, Martin Kosek wrote:
> On 06/26/2014 04:29 AM, Nathaniel McCallum wrote:
> > On Mon, 2014-06-23 at 17:24 -0400, Nathaniel McCallum wrote:
> >> On Mon, 2014-06-23 at 14:35 -0400, Simo Sorce wrote:
> >>> ----- Original Message -----
> >>>> ----- Original Message -----
> >>>>>> Can you check if ipaProtectedOperation is in the aci attribute in the
> >>>>>> base tree object ?
> >>>>>> It should be there as excluded, and that should cause admin to not be
> >>>>>> able to retrieve keytabs.
> >>>>>
> >>>>> It was not. While running ipa-ldap-updater I got the following:
> >>>>> InvalidSyntax: ACL Syntax Error(-5):(targetattr=
> >>>>> \22ipaProtectedOperation;write_keys\22)(version 3.0; acl \22Admins are
> >>>>> allowed to rekey any entity\22; allow(write) groupdn =
> >>>>> \22ldap:///cn=admins: Invalid syntax.
> >>>>
> >>>> Uhmm I do not see anything obviously wrong with ACI instruction, it looks
> >>>> just like the one I replace, Ideas ?
> >>>> Do you have ipaProtectedOperation in the schema ?
> >>>>
> >>>> (I rebased patch 3 but will wait to send a patchset until we understand (and
> >>>> fix) why this is failing to update.
> >>>
> >>> Ok, apparently it was a quoting issue in the .update files, hopefully that's
> >>> the only issue (I am at a conference today and do not have my test env. handy).
> >>>
> >>> The attached patches are rebased on the latest master.
> >>
> >> 0001: Line 555 has very wrong indentation.
> >>
> >> I don't see anything else wrong in the other patches. I've tested
> >> everything and it works as designed.
> >>
> >> I have CC'd everyone who was involved with review at any point on these
> >> patches. This serves as my public notice that I'd like to ACK the next
> >> round of patches. If anyone has anything else to add, please do it
> >> before tomorrow evening. Thanks!
> >>
> >> Nathaniel
> > 
> > ACK
> > 
> > Nathaniel
> 
> Pushed all 6 patches to master. Thanks for careful review!

Not sure what happened but the indentation issue I sent a patch for was
not fixed in the final push and instead of a tab now there are 4 spaces:

Attached find patch that fixes the issue as seen in master.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Fix-incorrect-indentation.patch
Type: text/x-patch
Size: 1049 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140626/76392e2f/attachment.bin>

More information about the Freeipa-devel mailing list