diff options
| author | Petr Viktorin <pviktori@redhat.com> | 2014-05-28 12:42:02 +0200 |
|---|---|---|
| committer | Petr Viktorin <pviktori@redhat.com> | 2014-05-29 16:22:37 +0200 |
| commit | 32efe5a887cba29165641419e0ee029d29ad020a (patch) | |
| tree | f319dc03620eb1b56ad1099c04da880cce0aa516 /ipalib/plugins/user.py | |
| parent | 647fa1db85c108f57d95a3f5e486525610b8ade4 (diff) | |
| download | freeipa-32efe5a887cba29165641419e0ee029d29ad020a.tar.gz freeipa-32efe5a887cba29165641419e0ee029d29ad020a.tar.xz freeipa-32efe5a887cba29165641419e0ee029d29ad020a.zip | |
Add managed read permission for the UPG Definition
Since user_add checks the UPG definition to see if UPG is enabled,
user admins need read access to add users correctly.
All attributes are allowed since UPG Definition is an extensibleObject;
the needed attributes are not in the schema.
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Diffstat (limited to 'ipalib/plugins/user.py')
| -rw-r--r-- | ipalib/plugins/user.py | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py index 604502ee7..27ad36b7f 100644 --- a/ipalib/plugins/user.py +++ b/ipalib/plugins/user.py @@ -111,6 +111,12 @@ status_output_params = ( ), ) +UPG_DEFINITION_DN = DN(('cn', 'UPG Definition'), + ('cn', 'Definitions'), + ('cn', 'Managed Entries'), + ('cn', 'etc'), + api.env.basedn) + # characters to be used for generating random user passwords user_pwdchars = string.digits + string.ascii_letters + '_,.@+-=' @@ -319,6 +325,17 @@ class user(LDAPObject): 'memberof', }, }, + 'System: Read UPG Definition': { + # Required for adding users + 'replaces_global_anonymous_aci': True, + 'non_object': True, + 'ipapermlocation': UPG_DEFINITION_DN, + 'ipapermtarget': UPG_DEFINITION_DN, + 'ipapermbindruletype': 'permission', + 'ipapermright': {'read', 'search', 'compare'}, + 'ipapermdefaultattr': {'*'}, + 'default_privileges': {'User Administrators'}, + }, } label = _('Users') |