diff options
author | Martin Kosek <mkosek@redhat.com> | 2012-09-12 09:34:35 +0200 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2012-09-16 17:59:12 -0400 |
commit | d8ba7d9145bda85aac3cf4810d36927f2325e267 (patch) | |
tree | 787c35d086fbf56fa465291aefce2f62eb65bdbe | |
parent | edf81385688a04bb138905d4322e29b3963a4a11 (diff) | |
download | freeipa-d8ba7d9145bda85aac3cf4810d36927f2325e267.tar.gz freeipa-d8ba7d9145bda85aac3cf4810d36927f2325e267.tar.xz freeipa-d8ba7d9145bda85aac3cf4810d36927f2325e267.zip |
Amend memberAllowCmd and memberDenyCmd attribute types
Attribute types of attributes designed to hold DN values are not
supposed to hold own ORDERING or SUBSTR matching rules (which were
even not correct in this case).
Update these attributes to only define an EQUALITY rule just like
other DN attribute types in IPA.
https://fedorahosted.org/freeipa/ticket/2866
-rw-r--r-- | install/share/65ipasudo.ldif | 4 | ||||
-rw-r--r-- | install/updates/10-60basev3.update | 2 |
2 files changed, 4 insertions, 2 deletions
diff --git a/install/share/65ipasudo.ldif b/install/share/65ipasudo.ldif index 7a85c8659..95ab4dd3f 100644 --- a/install/share/65ipasudo.ldif +++ b/install/share/65ipasudo.ldif @@ -6,9 +6,9 @@ dn: cn=schema ## ObjectClasses: 2.16.840.1.113730.3.8.8.x ## ## Attribute to store DN of an allowed SUDO command or a group of SUDO commands -attributetypes: (2.16.840.1.113730.3.8.7.1 NAME 'memberAllowCmd' DESC 'Reference to a command or group of commands that are allowed by the rule.' SUP distinguishedName EQUALITY distinguishedNameMatch ORDERING distinguishedNameMatch SUBSTR distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'IPA v2' ) +attributetypes: (2.16.840.1.113730.3.8.7.1 NAME 'memberAllowCmd' DESC 'Reference to a command or group of commands that are allowed by the rule.' SUP distinguishedName EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'IPA v2' ) ## Attribute to store DN of a prohibited SUDO command or a group of SUDO commands -attributetypes: (2.16.840.1.113730.3.8.7.2 NAME 'memberDenyCmd' DESC 'Reference to a command or group of commands that are denied by the rule.' SUP distinguishedName EQUALITY distinguishedNameMatch ORDERING distinguishedNameMatch SUBSTR distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'IPA v2' ) +attributetypes: (2.16.840.1.113730.3.8.7.2 NAME 'memberDenyCmd' DESC 'Reference to a command or group of commands that are denied by the rule.' SUP distinguishedName EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'IPA v2' ) ## Attribute to store command category attributeTypes: (2.16.840.1.113730.3.8.7.3 NAME 'cmdCategory' DESC 'Additional classification for commands' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' ) ## Attribute to store user not managed by the central server diff --git a/install/updates/10-60basev3.update b/install/updates/10-60basev3.update index dbd68581e..0a3481503 100644 --- a/install/updates/10-60basev3.update +++ b/install/updates/10-60basev3.update @@ -8,3 +8,5 @@ add:attributeTypes: (2.16.840.1.113730.3.8.11.32 NAME 'ipaKrbPrincipalAlias' DES add:attributeTypes: (2.16.840.1.113730.3.8.11.37 NAME 'ipaKrbAuthzData' DESC 'type of PAC preferred by a service' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v3') add:objectClasses: (2.16.840.1.113730.3.8.12.8 NAME 'ipaKrbPrincipal' SUP krbPrincipalAux AUXILIARY MUST ( krbPrincipalName $$ ipaKrbPrincipalAlias ) X-ORIGIN 'IPA v3' ) replace:objectClasses: ( 2.16.840.1.113730.3.8.4.2 NAME 'ipaService' DESC 'IPA service objectclass' AUXILIARY MAY ( memberOf $$ managedBy ) X-ORIGIN 'IPA v2' )::( 2.16.840.1.113730.3.8.4.2 NAME 'ipaService' DESC 'IPA service objectclass' AUXILIARY MAY ( memberOf $$ managedBy $$ ipaKrbAuthzData) X-ORIGIN 'IPA v2' ) +replace:attributeTypes:( 2.16.840.1.113730.3.8.7.1 NAME 'memberAllowCmd' DESC 'Reference to a command or group of commands that are allowed by the rule.' SUP distinguishedName EQUALITY distinguishedNameMatch ORDERING distinguishedNameMatch SUBSTR distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'IPA v2' )::( 2.16.840.1.113730.3.8.7.1 NAME 'memberAllowCmd' DESC 'Reference to a command or group of commands that are allowed by the rule.' SUP distinguishedName EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'IPA v2' ) +replace:attributeTypes:( 2.16.840.1.113730.3.8.7.2 NAME 'memberDenyCmd' DESC 'Reference to a command or group of commands that are denied by the rule.' SUP distinguishedName EQUALITY distinguishedNameMatch ORDERING distinguishedNameMatch SUBSTR distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'IPA v2' )::( 2.16.840.1.113730.3.8.7.2 NAME 'memberDenyCmd' DESC 'Reference to a command or group of commands that are denied by the rule.' SUP distinguishedName EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'IPA v2' ) |