[Freeipa-devel] [HEADS UP] Read ACI rework is now in master
Petr Viktorin
pviktori at redhat.com
Mon May 26 10:26:40 UTC 2014
All FreeIPA developers, hang on to your hats (be they red or otherwise)!
In master, the global ACI granting read/search/compare rights to anyyone
has been and removed in favor of granular managed permissions.
Please help test the change.
Emergency override:
If you find an issue, first report it and then give the following ldif
to ldapmodify to restore the global anonymous ACI.
Replace both instances of $SUFFIX by the DN that `ipa env basedn` gives you.
dn: $SUFFIX
changetype: modify
add: aci
aci: (targetfilter =
"(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenHOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target
!= "ldap:///idnsname=*,cn=dns,$SUFFIX")(targetattr != "userPassword ||
krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory
|| krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing ||
ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access";
allow (read, search, compare) userdn = "ldap:///anyone";)
Relevant ticket: https://fedorahosted.org/freeipa/ticket/3566
--
Petr³
More information about the Freeipa-devel
mailing list