[Freeipa-devel] [PATCHES] 0552-0554 Upgrading write permissions
Martin Kosek
mkosek at redhat.com
Wed May 28 15:15:43 UTC 2014
On 05/28/2014 05:13 PM, Ludwig Krispenz wrote:
>
> On 05/28/2014 05:08 PM, Martin Kosek wrote:
>> On 05/28/2014 05:03 PM, Ludwig Krispenz wrote:
>>> On 05/28/2014 04:56 PM, Martin Kosek wrote:
>>>> On 05/28/2014 04:50 PM, Simo Sorce wrote:
>>>>> On Wed, 2014-05-28 at 16:27 +0200, Petr Viktorin wrote:
>>>>>> Simo, I hazily remember discussing that we should only allow specific
>>>>>> attributes on add, otherwise users can add entries with any extra
>>>>>> objectclasses and attributes. Did we come to a conclusion?
>>>>>> I might have confused targetattr with targetattrfilter in my notes;
>>>>>> since I see targetarr is ineffective.
>>>>>>
>>>>> Yes we need to restrict at least the allowed objectclasses I think.
>>>>>
>>>>> Simo.
>>>>>
>>>> We do not have a support for targetattrfilter, I do not think this was ever
>>>> tested. This part of ACI is also not very well documented, I think Petr found
>>>> just one notice in the DS documentation about targetattrfilter.
>>> It is in chapter 13.2.3.5 in
>>> https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Access_Control-Creating_ACIs_Manually.html#Creating_ACIs_Manually-Defining_Targets
>>>
>>>
>>> and it is for unknown reasons: targattrfilters
>> Right, this is what I (and Petr) was talking about. The doc contain just this
>> single one line of information about targetattrfilters.
> Well, it is not much, but more than one line :-)
Ah, I see, that's much better. The problem was that the guide is referring to
"targattrfilters" and not "targetattrfilters" - thus my CTRL+F searching method
failed :-).
I added a note to the referred Bugzilla.
Martin
More information about the Freeipa-devel
mailing list