diff options
author | Tomas Babej <tbabej@redhat.com> | 2014-05-14 13:18:00 +0200 |
---|---|---|
committer | Petr Viktorin <pviktori@redhat.com> | 2014-06-25 20:14:50 +0200 |
commit | 3a56b155e80a744c7a924915aae954e0a3d81e9e (patch) | |
tree | eb555b6e8dd58f1c02d8e59beb4b96e0bd62fc81 /install/updates/10-schema_compat.update | |
parent | 9304b649a32c57e80f53913d7fbdee92fd76a251 (diff) | |
download | freeipa-3a56b155e80a744c7a924915aae954e0a3d81e9e.tar.gz freeipa-3a56b155e80a744c7a924915aae954e0a3d81e9e.tar.xz freeipa-3a56b155e80a744c7a924915aae954e0a3d81e9e.zip |
sudorule: Make sure sudoRunAsGroup is dereferencing the correct attribute
Makes sure we dereference the correct attribute. Also adds object class
checking.
https://fedorahosted.org/freeipa/ticket/4324
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Diffstat (limited to 'install/updates/10-schema_compat.update')
-rw-r--r-- | install/updates/10-schema_compat.update | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/install/updates/10-schema_compat.update b/install/updates/10-schema_compat.update index 6f0ed9080..7c362105d 100644 --- a/install/updates/10-schema_compat.update +++ b/install/updates/10-schema_compat.update @@ -1,10 +1,13 @@ dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config only:schema-compat-entry-rdn:'%ifeq("ipaEnabledFlag", "FALSE", "DISABLED", "cn=%{cn}")' -replace: schema-compat-entry-attribute:'sudoRunAsGroup=%deref("ipaSudoRunAs","cn")::sudoRunAsGroup=%deref_f("ipaSudoRunAsGroup","(objectclass=posixGroup)","cn")' - -dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config add:schema-compat-entry-attribute: 'sudoHost=%ifeq("hostCategory","all","ALL","%{hostMask}")' add:schema-compat-entry-attribute: 'sudoRunAsUser=%%%{ipaSudoRunAsExtUserGroup}' +# Fix for #4324 (regression of #1309) +remove:schema-compat-entry-attribute:'sudoRunAsGroup=%deref("ipaSudoRunAs","cn")' + +# We need to add the value in a separate transaction +dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config +add: schema-compat-entry-attribute: 'sudoRunAsGroup=%deref_f("ipaSudoRunAsGroup","(objectclass=posixGroup)","cn")' # Change padding for host and userCategory so the pad returns the same value # as the original, '' or -. |