On 1 August 2013 15:55, Rob Crittenden <[email protected]> wrote: > James Hogarth wrote: > >> >> >> >> On 1 August 2013 09:36, Martin Kosek <[email protected] >> <mailto:[email protected]>> wrote: >> >> >> The patch for this would do basically this: >> - remove the following aci: >> (targetattr != aci)(version 3.0; aci "replica admins read access"; >> allow (read, >> search, compare) groupdn = "ldap:///cn=Modify Replication >> Agreements,cn=permissions,cn=**pbac,$SUFFIX";) >> ... from installer and from LDAP as it is too general >> - add new permission ACI like this: >> (targetattr=*)(targetfilter="(**|(objectclass=nsds5Replica)(** >> objectclass=**nsds5replicationagreement)(**objectclass=** >> nsDSWindowsReplicationAgreemen**t)(objectClass=nsMappingTree))** >> ")(version >> 3.0; acl "permission:Read Replication Agreements"; allow (read, >> search, >> compare) groupdn = "ldap:///cn=Read Replication >> Agreements,cn=permissions,cn=**pbac,$SUFFIX";) >> - make sure that "Replication Administrators" privilege has it >> assigned. >> >> I created an upstream ticket to track this effort: >> >> https://fedorahosted.org/**freeipa/ticket/3829<https://fedorahosted.org/freeipa/ticket/3829> >> >> >> Reading the upstream documentation I'm wondering if it'd be sensible to >> include an additional ACI in replica-acis.ldif of: >> dn: $SUFFIX >> changetype: modify >> add: aci >> aci: (targetattr=dn nsDS5ReplConflict >> nsUniqureID)(targetfilter="(|(**objectclass=nsTombstone)(** >> nsDS5ReplConflict=*))")((**version >> 3.0; aci "conflict read access"; allow (read, search, compare) groupdn = >> "ldap:///cn=Read Replication Agreements,cn=permissions,cn=** >> pbac,$SUFFIX";) >> >> From the upstream documentation here: >> https://access.redhat.com/**site/documentation/en-US/Red_** >> Hat_Directory_Server/9.0/html-**single/Configuration_Command_** >> and_File_Reference/index.html#**Replication_Attributes_under_** >> cnreplica_cnsuffixName_**cnmapping_tree_cnconfig<https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html-single/Configuration_Command_and_File_Reference/index.html#Replication_Attributes_under_cnreplica_cnsuffixName_cnmapping_tree_cnconfig> >> >> This would allow a user with Read Replication Agreements permission to >> be able to search for conflicts or tombstone records which would seem >> sane from a monitoring point of view... >> >> What do you think? >> > > I think this would be a separate issue. Being able to find the conflicting > issues leads directly to the question "what do I do with them?" That is > ticket > https://fedorahosted.org/**freeipa/ticket/1025<https://fedorahosted.org/freeipa/ticket/1025> > > Thanks Rob - I think it worthwhile adding the permissions in place to at least find them as a 'quick win' as it were ...
What to do after that is an interesting question and would probably take a fair chuck of work to make it nicely visible plus show ways to resolve it. > > Also just to confirm the only thing I need to do with ACIs like this is >> to update the ldif (delegation.ldif and replica-acis.ldif) with the new >> role/privilege/permission and acis in install/share for the new installs >> and add an appropriate entry (not quite ldif) in install/updates to >> update the default schema of those updating in future, given no new >> attributes - right? >> > > You'll need to create a .update file in install/updates to modify an > existing installation. > > That's great - I had a look through the README in there and looking at other similar bits appears to be fairly simple.
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
