From b6258d08d6c5605b32151654c6259f7c77f1a32b Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pviktori@redhat.com>
Date: Tue, 10 Jun 2014 12:31:29 +0200
Subject: Make sure member* attrs are always granted together in read
 permissions

Memberofindirect processing of an entry doesn't work if the user doesn't
have rights to any one of these attributes:
- member
- memberuser
- memberhost

Add all of these to any read permission that specifies any of them.

Add a check to makeaci that will enforce this for any future permissions.

Reviewed-By: Martin Kosek <mkosek@redhat.com>
---
 ipalib/plugins/group.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'ipalib/plugins/group.py')

diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py
index 0de577dd0..581ee70b6 100644
--- a/ipalib/plugins/group.py
+++ b/ipalib/plugins/group.py
@@ -157,7 +157,7 @@ class group(LDAPObject):
             'ipapermbindruletype': 'all',
             'ipapermright': {'read', 'search', 'compare'},
             'ipapermdefaultattr': {
-                'member', 'memberof', 'memberuid',
+                'member', 'memberof', 'memberuid', 'memberuser', 'memberhost',
             },
         },
     }
-- 
cgit