diff options
| author | Tomas Babej <tbabej@redhat.com> | 2014-05-14 14:48:07 +0200 |
|---|---|---|
| committer | Petr Viktorin <pviktori@redhat.com> | 2014-06-25 20:14:51 +0200 |
| commit | b1275c5b1c2038c9769377e9cf0afe04139d1d8d (patch) | |
| tree | 9de08018a9573e859ff931655406f5fae9537186 /install/updates/10-schema_compat.update | |
| parent | a1d6c9ab6b710076902c1dd8ffcdec96b2538c21 (diff) | |
| download | freeipa-b1275c5b1c2038c9769377e9cf0afe04139d1d8d.tar.gz freeipa-b1275c5b1c2038c9769377e9cf0afe04139d1d8d.tar.xz freeipa-b1275c5b1c2038c9769377e9cf0afe04139d1d8d.zip | |
sudorule: Enforce category ALL checks on dirsrv level
https://fedorahosted.org/freeipa/ticket/4341
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Diffstat (limited to 'install/updates/10-schema_compat.update')
| -rw-r--r-- | install/updates/10-schema_compat.update | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/install/updates/10-schema_compat.update b/install/updates/10-schema_compat.update index 7c362105d..aeddadbe3 100644 --- a/install/updates/10-schema_compat.update +++ b/install/updates/10-schema_compat.update @@ -4,10 +4,20 @@ add:schema-compat-entry-attribute: 'sudoHost=%ifeq("hostCategory","all","ALL","% add:schema-compat-entry-attribute: 'sudoRunAsUser=%%%{ipaSudoRunAsExtUserGroup}' # Fix for #4324 (regression of #1309) remove:schema-compat-entry-attribute:'sudoRunAsGroup=%deref("ipaSudoRunAs","cn")' +remove:schema-compat-entry-attribute:'sudoRunAsUser=%{ipaSudoRunAsExtUser}' +remove:schema-compat-entry-attribute:'sudoRunAsUser=%%%{ipaSudoRunAsExtUserGroup}' +remove:schema-compat-entry-attribute:'sudoRunAsUser=%deref("ipaSudoRunAs","uid")' +remove:schema-compat-entry-attribute:'sudoRunAsGroup=%{ipaSudoRunAsExtGroup}' +remove:schema-compat-entry-attribute:'sudoRunAsGroup=%deref_f("ipaSudoRunAsGroup","(objectclass=posixGroup)","cn")' # We need to add the value in a separate transaction dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config add: schema-compat-entry-attribute: 'sudoRunAsGroup=%deref_f("ipaSudoRunAsGroup","(objectclass=posixGroup)","cn")' +add: schema-compat-entry-attribute: 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%{ipaSudoRunAsExtUser}")' +add: schema-compat-entry-attribute: 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%%%{ipaSudoRunAsExtUserGroup}")' +add: schema-compat-entry-attribute: 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%deref_f(\"ipaSudoRunAs\",\"(objectclass=posixAccount)\",\"uid\")")' +add: schema-compat-entry-attribute: 'sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%{ipaSudoRunAsExtGroup}")' +add: schema-compat-entry-attribute: 'sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%deref_f(\"ipaSudoRunAsGroup\",\"(objectclass=posixGroup)\",\"cn\")")' # Change padding for host and userCategory so the pad returns the same value # as the original, '' or -. |