From 0bea7bc245fe1471008d20c78626c2fa2572e91c Mon Sep 17 00:00:00 2001 From: Martin Kosek Date: Mon, 19 Jan 2015 12:42:11 +0100 Subject: [PATCH] Replication Administrators cannot remove replication agreements Replication agreement deletion requires read access to DNA range setting. The read access was accidently removed during PermissionV2 refactoring. Add the read ACI back as a special SYSTEM permission. https://fedorahosted.org/freeipa/ticket/4848 Reviewed-By: Martin Basti --- install/updates/40-replication.update | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/install/updates/40-replication.update b/install/updates/40-replication.update index 619d14663eeb6f692864c960dfd3542fc22cb581..f46ab19f0090ba313880e6d99636f50397f8d33b 100644 --- a/install/updates/40-replication.update +++ b/install/updates/40-replication.update @@ -14,3 +14,14 @@ default:member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config add:aci: '(targetattr=dnaNextRange || dnaNextValue || dnaMaxValue)(version 3.0;acl "permission:Modify DNA Range";allow (write) groupdn = "ldap:///cn=Modify DNA Range,cn=permissions,cn=pbac,$SUFFIX";)' + +dn: cn=Read DNA Range,cn=permissions,cn=pbac,$SUFFIX +default:objectClass: top +default:objectClass: groupofnames +default:objectClass: ipapermission +default:cn: Read DNA Range +default:ipapermissiontype: SYSTEM +default:member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX + +dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config +add:aci: '(targetattr=cn || dnaMaxValue || dnaNextRange || dnaNextValue || dnaThreshold || dnaType || objectclass)(version 3.0;acl "permission:Read DNA Range";allow (read, search, compare) groupdn = "ldap:///cn=Read DNA Range,cn=permissions,cn=pbac,$SUFFIX";)' -- 2.1.0