On 09/03/2014 03:08 PM, Rob Crittenden wrote: > Martin Kosek wrote: >> On 09/03/2014 09:02 AM, Martin Kosek wrote: >>> In the meantime, you can use the workaround that Rob sent, you would just >>> need >>> to delete it again when the fix is in, so that the permissions do not step >>> on >>> each other. >> >> Actually, wait a minute. I think Rob's ACI example may be too wide, it may >> expose any attribute in the compat tree, including a potential userPassword. > > The ACI was on his custom cn=canlogin subtree, not all of cn=compat. > >> As I see, it seems that slapi-nis plugin do not fortunately expose that, but >> it >> is safer to just list the attributes that one wants to display (this is also >> what we did in FreeIPA 4.0, no global wildcard allowing ACIs any more). >> >> I added a respective permission via Web UI (one part of it cannot be added >> via >> CLI, see https://fedorahosted.org/freeipa/ticket/4522) and compat tree now >> works for me. See attached example. >> >> Resulting permission shown in CLI: >> >> # ipa permission-show "TEMPORARY - Read compat tree" >> Permission name: TEMPORARY - Read compat tree >> Granted rights: read, search, compare >> Effective attributes: cn, description, gecos, gidnumber, homedirectory, >> loginshell, memberuid, >> objectclass, uid, uidnumber >> Bind rule type: all >> Subtree: dc=mkosek-fedora20,dc=test >> ACI target DN: cn=compat,dc=mkosek-fedora20,dc=test >> >> It is much easier to manipulate than ACI added via ldapmodify. > > I see you filed a bug on the missing CLI option. That's why I did the > ACI, because I couldn't demonstrate how to add this ACI on the CLI. I > hadn't gotten around to doing that last night. > > rob
Right. Surprisingly, the option was available in Web UI, thus the Web UI screenshot I attached to the thread :) But we have the CLI option fixed already, will be part of FreeIPA 4.0.2 which will be released very soon. Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
