590d18
From 997adec1729490ec9c3316862a4393002e708894 Mon Sep 17 00:00:00 2001
590d18
From: Jan Cholasta <jcholast@redhat.com>
590d18
Date: Tue, 13 Oct 2015 10:10:48 +0200
590d18
Subject: [PATCH] vault: fix private service vault creation
590d18
590d18
https://fedorahosted.org/freeipa/ticket/5361
590d18
590d18
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
590d18
---
590d18
 install/updates/40-vault.update | 3 ++-
590d18
 ipalib/plugins/vault.py         | 4 ++--
590d18
 2 files changed, 4 insertions(+), 3 deletions(-)
590d18
590d18
diff --git a/install/updates/40-vault.update b/install/updates/40-vault.update
590d18
index 3daea5b1988333d4d482463af0eec4163e4f0760..8d03f348c0ec9aded11f47bad5d1de6e013607cd 100644
590d18
--- a/install/updates/40-vault.update
590d18
+++ b/install/updates/40-vault.update
590d18
@@ -7,8 +7,9 @@ remove: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0
590d18
 remove: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Indirect vault members can access the vault"; allow(read, search, compare) userattr="member#GROUPDN";)
590d18
 remove: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Vault owners can manage the vault"; allow(read, search, compare, write) userattr="owner#USERDN";)
590d18
 remove: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Indirect vault owners can manage the vault"; allow(read, search, compare, write) userattr="owner#GROUPDN";)
590d18
+remove: aci: (target="ldap:///cn=*,cn=services,cn=vaults,cn=kra,$SUFFIX")(targetfilter="(objectClass=ipaVaultContainer)")(version 3.0; acl "Allow services to create private container"; allow(add) userdn="ldap:///krbprincipalname=($$attr.cn)@$REALM,cn=services,cn=accounts,$SUFFIX" and userattr="owner#SELFDN";)
590d18
 addifexist: aci: (target="ldap:///cn=*,cn=users,cn=vaults,cn=kra,$SUFFIX")(targetfilter="(objectClass=ipaVaultContainer)")(version 3.0; acl "Allow users to create private container"; allow(add) userdn="ldap:///uid=($$attr.cn),cn=users,cn=accounts,$SUFFIX" and userattr="owner#SELFDN";)
590d18
-addifexist: aci: (target="ldap:///cn=*,cn=services,cn=vaults,cn=kra,$SUFFIX")(targetfilter="(objectClass=ipaVaultContainer)")(version 3.0; acl "Allow services to create private container"; allow(add) userdn="ldap:///krbprincipalname=($$attr.cn)@$REALM,cn=services,cn=accounts,$SUFFIX" and userattr="owner#SELFDN";)
590d18
+addifexist: aci: (target="ldap:///cn=*,cn=services,cn=vaults,cn=kra,$SUFFIX")(targetfilter="(objectClass=ipaVaultContainer)")(version 3.0; acl "Allow services to create private container"; allow(add) userdn="ldap:///krbprincipalname=($$attr.cn),cn=services,cn=accounts,$SUFFIX" and userattr="owner#SELFDN";)
590d18
 addifexist: aci: (targetfilter="(objectClass=ipaVaultContainer)")(targetattr="objectClass || cn || description || owner")(version 3.0; acl "Container owners can access the container"; allow(read, search, compare) userattr="owner#USERDN";)
590d18
 addifexist: aci: (targetfilter="(objectClass=ipaVaultContainer)")(targetattr="objectClass || cn || description || owner")(version 3.0; acl "Indirect container owners can access the container"; allow(read, search, compare) userattr="owner#GROUPDN";)
590d18
 addifexist: aci: (targetfilter="(objectClass=ipaVaultContainer)")(targetattr="objectClass || cn || description")(version 3.0; acl "Container owners can manage the container"; allow(write, delete) userattr="owner#USERDN";)
590d18
diff --git a/ipalib/plugins/vault.py b/ipalib/plugins/vault.py
590d18
index 1159a84d58eb152cccdd791c96a1c876754bfa7d..d1d7f2a738999299bc9355a431e7adb6f514064e 100644
590d18
--- a/ipalib/plugins/vault.py
590d18
+++ b/ipalib/plugins/vault.py
590d18
@@ -399,7 +399,7 @@ class vaultcontainer(LDAPObject):
590d18
 
590d18
             (name, realm) = split_principal(principal)
590d18
             if '/' in name:
590d18
-                service = name
590d18
+                service = principal
590d18
             else:
590d18
                 user = name
590d18
 
590d18
@@ -717,7 +717,7 @@ class vault(LDAPObject):
590d18
 
590d18
             (name, realm) = split_principal(principal)
590d18
             if '/' in name:
590d18
-                service = name
590d18
+                service = principal
590d18
             else:
590d18
                 user = name
590d18
 
590d18
-- 
590d18
2.4.3
590d18