|
|
590d18 |
From 997adec1729490ec9c3316862a4393002e708894 Mon Sep 17 00:00:00 2001
|
|
|
590d18 |
From: Jan Cholasta <jcholast@redhat.com>
|
|
|
590d18 |
Date: Tue, 13 Oct 2015 10:10:48 +0200
|
|
|
590d18 |
Subject: [PATCH] vault: fix private service vault creation
|
|
|
590d18 |
|
|
|
590d18 |
https://fedorahosted.org/freeipa/ticket/5361
|
|
|
590d18 |
|
|
|
590d18 |
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
|
|
|
590d18 |
---
|
|
|
590d18 |
install/updates/40-vault.update | 3 ++-
|
|
|
590d18 |
ipalib/plugins/vault.py | 4 ++--
|
|
|
590d18 |
2 files changed, 4 insertions(+), 3 deletions(-)
|
|
|
590d18 |
|
|
|
590d18 |
diff --git a/install/updates/40-vault.update b/install/updates/40-vault.update
|
|
|
590d18 |
index 3daea5b1988333d4d482463af0eec4163e4f0760..8d03f348c0ec9aded11f47bad5d1de6e013607cd 100644
|
|
|
590d18 |
--- a/install/updates/40-vault.update
|
|
|
590d18 |
+++ b/install/updates/40-vault.update
|
|
|
590d18 |
@@ -7,8 +7,9 @@ remove: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0
|
|
|
590d18 |
remove: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Indirect vault members can access the vault"; allow(read, search, compare) userattr="member#GROUPDN";)
|
|
|
590d18 |
remove: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Vault owners can manage the vault"; allow(read, search, compare, write) userattr="owner#USERDN";)
|
|
|
590d18 |
remove: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Indirect vault owners can manage the vault"; allow(read, search, compare, write) userattr="owner#GROUPDN";)
|
|
|
590d18 |
+remove: aci: (target="ldap:///cn=*,cn=services,cn=vaults,cn=kra,$SUFFIX")(targetfilter="(objectClass=ipaVaultContainer)")(version 3.0; acl "Allow services to create private container"; allow(add) userdn="ldap:///krbprincipalname=($$attr.cn)@$REALM,cn=services,cn=accounts,$SUFFIX" and userattr="owner#SELFDN";)
|
|
|
590d18 |
addifexist: aci: (target="ldap:///cn=*,cn=users,cn=vaults,cn=kra,$SUFFIX")(targetfilter="(objectClass=ipaVaultContainer)")(version 3.0; acl "Allow users to create private container"; allow(add) userdn="ldap:///uid=($$attr.cn),cn=users,cn=accounts,$SUFFIX" and userattr="owner#SELFDN";)
|
|
|
590d18 |
-addifexist: aci: (target="ldap:///cn=*,cn=services,cn=vaults,cn=kra,$SUFFIX")(targetfilter="(objectClass=ipaVaultContainer)")(version 3.0; acl "Allow services to create private container"; allow(add) userdn="ldap:///krbprincipalname=($$attr.cn)@$REALM,cn=services,cn=accounts,$SUFFIX" and userattr="owner#SELFDN";)
|
|
|
590d18 |
+addifexist: aci: (target="ldap:///cn=*,cn=services,cn=vaults,cn=kra,$SUFFIX")(targetfilter="(objectClass=ipaVaultContainer)")(version 3.0; acl "Allow services to create private container"; allow(add) userdn="ldap:///krbprincipalname=($$attr.cn),cn=services,cn=accounts,$SUFFIX" and userattr="owner#SELFDN";)
|
|
|
590d18 |
addifexist: aci: (targetfilter="(objectClass=ipaVaultContainer)")(targetattr="objectClass || cn || description || owner")(version 3.0; acl "Container owners can access the container"; allow(read, search, compare) userattr="owner#USERDN";)
|
|
|
590d18 |
addifexist: aci: (targetfilter="(objectClass=ipaVaultContainer)")(targetattr="objectClass || cn || description || owner")(version 3.0; acl "Indirect container owners can access the container"; allow(read, search, compare) userattr="owner#GROUPDN";)
|
|
|
590d18 |
addifexist: aci: (targetfilter="(objectClass=ipaVaultContainer)")(targetattr="objectClass || cn || description")(version 3.0; acl "Container owners can manage the container"; allow(write, delete) userattr="owner#USERDN";)
|
|
|
590d18 |
diff --git a/ipalib/plugins/vault.py b/ipalib/plugins/vault.py
|
|
|
590d18 |
index 1159a84d58eb152cccdd791c96a1c876754bfa7d..d1d7f2a738999299bc9355a431e7adb6f514064e 100644
|
|
|
590d18 |
--- a/ipalib/plugins/vault.py
|
|
|
590d18 |
+++ b/ipalib/plugins/vault.py
|
|
|
590d18 |
@@ -399,7 +399,7 @@ class vaultcontainer(LDAPObject):
|
|
|
590d18 |
|
|
|
590d18 |
(name, realm) = split_principal(principal)
|
|
|
590d18 |
if '/' in name:
|
|
|
590d18 |
- service = name
|
|
|
590d18 |
+ service = principal
|
|
|
590d18 |
else:
|
|
|
590d18 |
user = name
|
|
|
590d18 |
|
|
|
590d18 |
@@ -717,7 +717,7 @@ class vault(LDAPObject):
|
|
|
590d18 |
|
|
|
590d18 |
(name, realm) = split_principal(principal)
|
|
|
590d18 |
if '/' in name:
|
|
|
590d18 |
- service = name
|
|
|
590d18 |
+ service = principal
|
|
|
590d18 |
else:
|
|
|
590d18 |
user = name
|
|
|
590d18 |
|
|
|
590d18 |
--
|
|
|
590d18 |
2.4.3
|
|
|
590d18 |
|