summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--ACI.txt22
-rw-r--r--ipalib/plugins/group.py2
-rw-r--r--ipalib/plugins/hbacrule.py2
-rw-r--r--ipalib/plugins/hbacsvcgroup.py1
-rw-r--r--ipalib/plugins/hostgroup.py2
-rw-r--r--ipalib/plugins/netgroup.py3
-rw-r--r--ipalib/plugins/permission.py2
-rw-r--r--ipalib/plugins/privilege.py3
-rw-r--r--ipalib/plugins/role.py3
-rw-r--r--ipalib/plugins/selinuxusermap.py2
-rw-r--r--ipalib/plugins/sudocmdgroup.py1
-rw-r--r--ipalib/plugins/sudorule.py2
-rwxr-xr-xmakeaci18
13 files changed, 43 insertions, 20 deletions
diff --git a/ACI.txt b/ACI.txt
index 011b0aeae..2ceaacc07 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -11,21 +11,21 @@ aci: (targetattr = "cn || ipacertificatesubjectbase || ipaconfigstring || ipacus
dn: cn=System: Read Group Password Policy costemplate,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "cn || cospriority || krbpwdpolicyreference || objectclass")(targetfilter = "(objectclass=costemplate)")(version 3.0;acl "permission:System: Read Group Password Policy costemplate";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Group Password Policy costemplate,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Read Group Membership,cn=permissions,cn=pbac,dc=ipa,dc=example
-aci: (targetattr = "member || memberof || memberuid")(targetfilter = "(objectclass=ipausergroup)")(version 3.0;acl "permission:System: Read Group Membership";allow (compare,read,search) userdn = "ldap:///all";)
+aci: (targetattr = "member || memberhost || memberof || memberuid || memberuser")(targetfilter = "(objectclass=ipausergroup)")(version 3.0;acl "permission:System: Read Group Membership";allow (compare,read,search) userdn = "ldap:///all";)
dn: cn=System: Read Groups,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "businesscategory || cn || description || gidnumber || ipaexternalmember || ipauniqueid || mepmanagedby || o || objectclass || ou || owner || seealso")(targetfilter = "(objectclass=ipausergroup)")(version 3.0;acl "permission:System: Read Groups";allow (compare,read,search) userdn = "ldap:///anyone";)
dn: cn=System: Read HBAC Rules,cn=permissions,cn=pbac,dc=ipa,dc=example
-aci: (targetattr = "accessruletype || accesstime || cn || description || externalhost || hostcategory || ipaenabledflag || ipauniqueid || memberhost || memberservice || memberuser || objectclass || servicecategory || sourcehost || sourcehostcategory || usercategory")(targetfilter = "(objectclass=ipahbacrule)")(version 3.0;acl "permission:System: Read HBAC Rules";allow (compare,read,search) userdn = "ldap:///all";)
+aci: (targetattr = "accessruletype || accesstime || cn || description || externalhost || hostcategory || ipaenabledflag || ipauniqueid || member || memberhost || memberservice || memberuser || objectclass || servicecategory || sourcehost || sourcehostcategory || usercategory")(targetfilter = "(objectclass=ipahbacrule)")(version 3.0;acl "permission:System: Read HBAC Rules";allow (compare,read,search) userdn = "ldap:///all";)
dn: cn=System: Read HBAC Services,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "cn || description || ipauniqueid || memberof || objectclass")(targetfilter = "(objectclass=ipahbacservice)")(version 3.0;acl "permission:System: Read HBAC Services";allow (compare,read,search) userdn = "ldap:///all";)
dn: cn=System: Read HBAC Service Groups,cn=permissions,cn=pbac,dc=ipa,dc=example
-aci: (targetattr = "businesscategory || cn || description || ipauniqueid || member || o || objectclass || ou || owner || seealso")(targetfilter = "(objectclass=ipahbacservicegroup)")(version 3.0;acl "permission:System: Read HBAC Service Groups";allow (compare,read,search) userdn = "ldap:///all";)
+aci: (targetattr = "businesscategory || cn || description || ipauniqueid || member || memberhost || memberuser || o || objectclass || ou || owner || seealso")(targetfilter = "(objectclass=ipahbacservicegroup)")(version 3.0;acl "permission:System: Read HBAC Service Groups";allow (compare,read,search) userdn = "ldap:///all";)
dn: cn=System: Read Host Membership,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "memberof")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Read Host Membership";allow (compare,read,search) userdn = "ldap:///all";)
dn: cn=System: Read Hosts,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "cn || description || enrolledby || fqdn || ipaclientversion || ipakrbauthzdata || ipasshpubkey || ipauniqueid || krbcanonicalname || krblastpwdchange || krbpasswordexpiration || krbprincipalaliases || krbprincipalexpiration || krbprincipalname || l || macaddress || managedby || nshardwareplatform || nshostlocation || nsosversion || objectclass || serverhostname || usercertificate || userclass")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Read Hosts";allow (compare,read,search) userdn = "ldap:///all";)
dn: cn=System: Read Hostgroup Membership,cn=permissions,cn=pbac,dc=ipa,dc=example
-aci: (targetattr = "member || memberof")(targetfilter = "(objectclass=ipahostgroup)")(version 3.0;acl "permission:System: Read Hostgroup Membership";allow (compare,read,search) userdn = "ldap:///all";)
+aci: (targetattr = "member || memberhost || memberof || memberuser")(targetfilter = "(objectclass=ipahostgroup)")(version 3.0;acl "permission:System: Read Hostgroup Membership";allow (compare,read,search) userdn = "ldap:///all";)
dn: cn=System: Read Hostgroups,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "businesscategory || cn || description || ipauniqueid || o || objectclass || ou || owner || seealso")(targetfilter = "(objectclass=ipahostgroup)")(version 3.0;acl "permission:System: Read Hostgroups";allow (compare,read,search) userdn = "ldap:///all";)
dn: cn=System: Read ID Ranges,cn=permissions,cn=pbac,dc=ipa,dc=example
@@ -35,29 +35,29 @@ aci: (targetattr = "krbdefaultencsalttypes || krbmaxrenewableage || krbmaxticket
dn: cn=System: Read User Kerberos Ticket Policy,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "krbmaxrenewableage || krbmaxticketlife")(targetfilter = "(objectclass=krbticketpolicyaux)")(version 3.0;acl "permission:System: Read User Kerberos Ticket Policy";allow (compare,read,search) groupdn = "ldap:///cn=System: Read User Kerberos Ticket Policy,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Read Netgroup Membership,cn=permissions,cn=pbac,dc=ipa,dc=example
-aci: (targetattr = "externalhost || member || memberof || memberuser")(targetfilter = "(objectclass=ipanisnetgroup)")(version 3.0;acl "permission:System: Read Netgroup Membership";allow (compare,read,search) userdn = "ldap:///all";)
+aci: (targetattr = "externalhost || member || memberhost || memberof || memberuser")(targetfilter = "(objectclass=ipanisnetgroup)")(version 3.0;acl "permission:System: Read Netgroup Membership";allow (compare,read,search) userdn = "ldap:///all";)
dn: cn=System: Read Netgroups,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "cn || description || hostcategory || ipaenabledflag || ipauniqueid || nisdomainname || usercategory")(targetfilter = "(objectclass=ipanisnetgroup)")(version 3.0;acl "permission:System: Read Netgroups";allow (compare,read,search) userdn = "ldap:///all";)
dn: cn=System: Read ACIs,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "aci")(version 3.0;acl "permission:System: Read ACIs";allow (compare,read,search) groupdn = "ldap:///cn=System: Read ACIs,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Read Permissions,cn=permissions,cn=pbac,dc=ipa,dc=example
-aci: (targetattr = "businesscategory || cn || description || ipapermbindruletype || ipapermdefaultattr || ipapermexcludedattr || ipapermincludedattr || ipapermissiontype || ipapermlocation || ipapermright || ipapermtarget || ipapermtargetfilter || member || memberof || o || objectclass || ou || owner || seealso")(targetfilter = "(objectclass=ipapermission)")(version 3.0;acl "permission:System: Read Permissions";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Permissions,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+aci: (targetattr = "businesscategory || cn || description || ipapermbindruletype || ipapermdefaultattr || ipapermexcludedattr || ipapermincludedattr || ipapermissiontype || ipapermlocation || ipapermright || ipapermtarget || ipapermtargetfilter || member || memberhost || memberof || memberuser || o || objectclass || ou || owner || seealso")(targetfilter = "(objectclass=ipapermission)")(version 3.0;acl "permission:System: Read Permissions";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Permissions,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Read Privileges,cn=permissions,cn=pbac,dc=ipa,dc=example
-aci: (targetattr = "businesscategory || cn || description || member || memberof || o || objectclass || ou || owner || seealso")(targetfilter = "(objectclass=groupofnames)")(version 3.0;acl "permission:System: Read Privileges";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Privileges,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+aci: (targetattr = "businesscategory || cn || description || member || memberhost || memberof || memberuser || o || objectclass || ou || owner || seealso")(targetfilter = "(objectclass=groupofnames)")(version 3.0;acl "permission:System: Read Privileges";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Privileges,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Read Group Password Policy,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "cn || cospriority || krbmaxpwdlife || krbminpwdlife || krbpwdfailurecountinterval || krbpwdhistorylength || krbpwdlockoutduration || krbpwdmaxfailure || krbpwdmindiffchars || krbpwdminlength || objectclass")(targetfilter = "(objectclass=krbpwdpolicy)")(version 3.0;acl "permission:System: Read Group Password Policy";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Group Password Policy,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Read Realm Domains,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "associateddomain || cn || objectclass")(targetfilter = "(objectclass=domainrelatedobject)")(version 3.0;acl "permission:System: Read Realm Domains";allow (compare,read,search) userdn = "ldap:///all";)
dn: cn=System: Read Roles,cn=permissions,cn=pbac,dc=ipa,dc=example
-aci: (targetattr = "businesscategory || cn || description || member || memberof || o || objectclass || ou || owner || seealso")(targetfilter = "(objectclass=groupofnames)")(version 3.0;acl "permission:System: Read Roles";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Roles,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+aci: (targetattr = "businesscategory || cn || description || member || memberhost || memberof || memberuser || o || objectclass || ou || owner || seealso")(targetfilter = "(objectclass=groupofnames)")(version 3.0;acl "permission:System: Read Roles";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Roles,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Read SELinux User Maps,cn=permissions,cn=pbac,dc=ipa,dc=example
-aci: (targetattr = "accesstime || cn || description || hostcategory || ipaenabledflag || ipaselinuxuser || ipauniqueid || memberhost || memberuser || objectclass || seealso || usercategory")(targetfilter = "(objectclass=ipaselinuxusermap)")(version 3.0;acl "permission:System: Read SELinux User Maps";allow (compare,read,search) userdn = "ldap:///all";)
+aci: (targetattr = "accesstime || cn || description || hostcategory || ipaenabledflag || ipaselinuxuser || ipauniqueid || member || memberhost || memberuser || objectclass || seealso || usercategory")(targetfilter = "(objectclass=ipaselinuxusermap)")(version 3.0;acl "permission:System: Read SELinux User Maps";allow (compare,read,search) userdn = "ldap:///all";)
dn: cn=System: Read Services,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "ipakrbauthzdata || ipakrbprincipalalias || ipauniqueid || krbcanonicalname || krblastpwdchange || krbobjectreferences || krbpasswordexpiration || krbprincipalaliases || krbprincipalexpiration || krbprincipalname || managedby || memberof || objectclass || usercertificate")(targetfilter = "(objectclass=ipaservice)")(version 3.0;acl "permission:System: Read Services";allow (compare,read,search) userdn = "ldap:///all";)
dn: cn=System: Read Sudo Commands,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "description || ipauniqueid || memberof || objectclass || sudocmd")(targetfilter = "(objectclass=ipasudocmd)")(version 3.0;acl "permission:System: Read Sudo Commands";allow (compare,read,search) userdn = "ldap:///all";)
dn: cn=System: Read Sudo Command Groups,cn=permissions,cn=pbac,dc=ipa,dc=example
-aci: (targetattr = "businesscategory || cn || description || ipauniqueid || member || o || objectclass || ou || owner || seealso")(targetfilter = "(objectclass=ipasudocmdgrp)")(version 3.0;acl "permission:System: Read Sudo Command Groups";allow (compare,read,search) userdn = "ldap:///all";)
+aci: (targetattr = "businesscategory || cn || description || ipauniqueid || member || memberhost || memberuser || o || objectclass || ou || owner || seealso")(targetfilter = "(objectclass=ipasudocmdgrp)")(version 3.0;acl "permission:System: Read Sudo Command Groups";allow (compare,read,search) userdn = "ldap:///all";)
dn: cn=System: Add Sudo rule,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetfilter = "(objectclass=ipasudorule)")(version 3.0;acl "permission:System: Add Sudo rule";allow (add) groupdn = "ldap:///cn=System: Add Sudo rule,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Delete Sudo rule,cn=permissions,cn=pbac,dc=ipa,dc=example
@@ -65,7 +65,7 @@ aci: (targetfilter = "(objectclass=ipasudorule)")(version 3.0;acl "permission:Sy
dn: cn=System: Modify Sudo rule,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "cmdcategory || description || externalhost || externaluser || hostcategory || hostmask || ipaenabledflag || ipasudoopt || ipasudorunas || ipasudorunasextgroup || ipasudorunasextuser || ipasudorunasgroup || ipasudorunasgroupcategory || ipasudorunasusercategory || memberallowcmd || memberdenycmd || memberhost || memberuser || sudonotafter || sudonotbefore || sudoorder || usercategory")(targetfilter = "(objectclass=ipasudorule)")(version 3.0;acl "permission:System: Modify Sudo rule";allow (write) groupdn = "ldap:///cn=System: Modify Sudo rule,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Read Sudo Rules,cn=permissions,cn=pbac,dc=ipa,dc=example
-aci: (targetattr = "cmdcategory || cn || description || externalhost || externaluser || hostcategory || hostmask || ipaenabledflag || ipasudoopt || ipasudorunas || ipasudorunasextgroup || ipasudorunasextuser || ipasudorunasgroup || ipasudorunasgroupcategory || ipasudorunasusercategory || ipauniqueid || memberallowcmd || memberdenycmd || memberhost || memberuser || objectclass || sudonotafter || sudonotbefore || sudoorder || usercategory")(targetfilter = "(objectclass=ipasudorule)")(version 3.0;acl "permission:System: Read Sudo Rules";allow (compare,read,search) userdn = "ldap:///all";)
+aci: (targetattr = "cmdcategory || cn || description || externalhost || externaluser || hostcategory || hostmask || ipaenabledflag || ipasudoopt || ipasudorunas || ipasudorunasextgroup || ipasudorunasextuser || ipasudorunasgroup || ipasudorunasgroupcategory || ipasudorunasusercategory || ipauniqueid || member || memberallowcmd || memberdenycmd || memberhost || memberuser || objectclass || sudonotafter || sudonotbefore || sudoorder || usercategory")(targetfilter = "(objectclass=ipasudorule)")(version 3.0;acl "permission:System: Read Sudo Rules";allow (compare,read,search) userdn = "ldap:///all";)
dn: cn=System: Read Sudoers compat tree,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "cn || description || objectclass || ou || sudocommand || sudohost || sudonotafter || sudonotbefore || sudooption || sudoorder || sudorunas || sudorunasgroup || sudorunasuser || sudouser")(target = "ldap:///ou=sudoers,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read Sudoers compat tree";allow (compare,read,search) userdn = "ldap:///all";)
dn: cn=System: Read Trust Information,cn=permissions,cn=pbac,dc=ipa,dc=example
diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py
index 0de577dd0..581ee70b6 100644
--- a/ipalib/plugins/group.py
+++ b/ipalib/plugins/group.py
@@ -157,7 +157,7 @@ class group(LDAPObject):
'ipapermbindruletype': 'all',
'ipapermright': {'read', 'search', 'compare'},
'ipapermdefaultattr': {
- 'member', 'memberof', 'memberuid',
+ 'member', 'memberof', 'memberuid', 'memberuser', 'memberhost',
},
},
}
diff --git a/ipalib/plugins/hbacrule.py b/ipalib/plugins/hbacrule.py
index b9b5cc87f..22844345b 100644
--- a/ipalib/plugins/hbacrule.py
+++ b/ipalib/plugins/hbacrule.py
@@ -144,7 +144,7 @@ class hbacrule(LDAPObject):
'externalhost', 'hostcategory', 'ipaenabledflag',
'ipauniqueid', 'memberhost', 'memberservice', 'memberuser',
'servicecategory', 'sourcehost', 'sourcehostcategory',
- 'usercategory', 'objectclass',
+ 'usercategory', 'objectclass', 'member',
},
},
}
diff --git a/ipalib/plugins/hbacsvcgroup.py b/ipalib/plugins/hbacsvcgroup.py
index 9884f2658..d0f25932e 100644
--- a/ipalib/plugins/hbacsvcgroup.py
+++ b/ipalib/plugins/hbacsvcgroup.py
@@ -70,6 +70,7 @@ class hbacsvcgroup(LDAPObject):
'ipapermdefaultattr': {
'businesscategory', 'cn', 'description', 'ipauniqueid',
'member', 'o', 'objectclass', 'ou', 'owner', 'seealso',
+ 'memberuser', 'memberhost',
},
},
}
diff --git a/ipalib/plugins/hostgroup.py b/ipalib/plugins/hostgroup.py
index 6420fb3ad..711ed8972 100644
--- a/ipalib/plugins/hostgroup.py
+++ b/ipalib/plugins/hostgroup.py
@@ -91,7 +91,7 @@ class hostgroup(LDAPObject):
'ipapermbindruletype': 'all',
'ipapermright': {'read', 'search', 'compare'},
'ipapermdefaultattr': {
- 'member', 'memberof',
+ 'member', 'memberof', 'memberuser', 'memberhost',
},
},
}
diff --git a/ipalib/plugins/netgroup.py b/ipalib/plugins/netgroup.py
index 50f139990..8603f4cea 100644
--- a/ipalib/plugins/netgroup.py
+++ b/ipalib/plugins/netgroup.py
@@ -123,7 +123,8 @@ class netgroup(LDAPObject):
'ipapermbindruletype': 'all',
'ipapermright': {'read', 'search', 'compare'},
'ipapermdefaultattr': {
- 'externalhost', 'member', 'memberof', 'memberuser'
+ 'externalhost', 'member', 'memberof', 'memberuser',
+ 'memberhost',
},
},
}
diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py
index bd225b92a..3c2127fcc 100644
--- a/ipalib/plugins/permission.py
+++ b/ipalib/plugins/permission.py
@@ -192,7 +192,7 @@ class permission(baseldap.LDAPObject):
'ipapermdefaultattr', 'ipapermincludedattr',
'ipapermexcludedattr', 'ipapermbindruletype', 'ipapermtarget',
'ipapermlocation', 'ipapermright', 'ipapermtargetfilter',
- 'member', 'memberof',
+ 'member', 'memberof', 'memberuser', 'memberhost',
},
'default_privileges': {'RBAC Readers'},
},
diff --git a/ipalib/plugins/privilege.py b/ipalib/plugins/privilege.py
index c0ab96646..cff6fe197 100644
--- a/ipalib/plugins/privilege.py
+++ b/ipalib/plugins/privilege.py
@@ -70,7 +70,8 @@ class privilege(LDAPObject):
'ipapermright': {'read', 'search', 'compare'},
'ipapermdefaultattr': {
'businesscategory', 'cn', 'description', 'member', 'memberof',
- 'o', 'objectclass', 'ou', 'owner', 'seealso',
+ 'o', 'objectclass', 'ou', 'owner', 'seealso', 'memberuser',
+ 'memberhost',
},
'default_privileges': {'RBAC Readers'},
},
diff --git a/ipalib/plugins/role.py b/ipalib/plugins/role.py
index c881b5b8b..cd56f7f47 100644
--- a/ipalib/plugins/role.py
+++ b/ipalib/plugins/role.py
@@ -88,7 +88,8 @@ class role(LDAPObject):
'ipapermright': {'read', 'search', 'compare'},
'ipapermdefaultattr': {
'businesscategory', 'cn', 'description', 'member', 'memberof',
- 'o', 'objectclass', 'ou', 'owner', 'seealso',
+ 'o', 'objectclass', 'ou', 'owner', 'seealso', 'memberuser',
+ 'memberhost',
},
'default_privileges': {'RBAC Readers'},
},
diff --git a/ipalib/plugins/selinuxusermap.py b/ipalib/plugins/selinuxusermap.py
index 7efabaaa6..d84503996 100644
--- a/ipalib/plugins/selinuxusermap.py
+++ b/ipalib/plugins/selinuxusermap.py
@@ -160,7 +160,7 @@ class selinuxusermap(LDAPObject):
'accesstime', 'cn', 'description', 'hostcategory',
'ipaenabledflag', 'ipaselinuxuser', 'ipauniqueid',
'memberhost', 'memberuser', 'seealso', 'usercategory',
- 'objectclass',
+ 'objectclass', 'member',
},
},
}
diff --git a/ipalib/plugins/sudocmdgroup.py b/ipalib/plugins/sudocmdgroup.py
index 44883f430..adde3abdb 100644
--- a/ipalib/plugins/sudocmdgroup.py
+++ b/ipalib/plugins/sudocmdgroup.py
@@ -75,6 +75,7 @@ class sudocmdgroup(LDAPObject):
'ipapermdefaultattr': {
'businesscategory', 'cn', 'description', 'ipauniqueid',
'member', 'o', 'objectclass', 'ou', 'owner', 'seealso',
+ 'memberuser', 'memberhost',
},
},
}
diff --git a/ipalib/plugins/sudorule.py b/ipalib/plugins/sudorule.py
index b6893310d..9c2e7c51e 100644
--- a/ipalib/plugins/sudorule.py
+++ b/ipalib/plugins/sudorule.py
@@ -133,7 +133,7 @@ class sudorule(LDAPObject):
'ipasudorunasgroupcategory', 'ipasudorunasusercategory',
'ipauniqueid', 'memberallowcmd', 'memberdenycmd',
'memberhost', 'memberuser', 'sudonotafter', 'sudonotbefore',
- 'sudoorder', 'usercategory', 'objectclass',
+ 'sudoorder', 'usercategory', 'objectclass', 'member',
},
},
'System: Read Sudoers compat tree': {
diff --git a/makeaci b/makeaci
index ab823558d..6c1a4603c 100755
--- a/makeaci
+++ b/makeaci
@@ -72,6 +72,24 @@ def generate_aci_lines(api):
yield 'dn: %s\n' % dn
yield 'aci: %s\n' % aci
+ check_member_attrs(name, template)
+
+
+def check_member_attrs(name, template):
+ """Check that member* attrs are always present together for read
+
+ ldap2._process_memberofindirect reads all these attributes together;
+ if the user doesn't have rights to one of them, the entire entry is
+ left out and memberofindirect processing returns wrong a result.
+ So we need all of them be readable.
+ """
+ checked_attrs = ['member', 'memberuser', 'memberhost']
+ perm_attrs = template.get('ipapermdefaultattr', ())
+ flags = [(a in perm_attrs) for a in checked_attrs]
+ if 'read' in template['ipapermright'] and any(flags) and not all(flags):
+ raise AssertionError("'%s' includes some but not all of %s" %
+ (name, checked_attrs))
+
def main(options):
api.bootstrap(
generated by cgit (git 2.34.1) at 2024-11-16 16:14:34 +0000