From b6258d08d6c5605b32151654c6259f7c77f1a32b Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pviktori@redhat.com>
Date: Tue, 10 Jun 2014 12:31:29 +0200
Subject: Make sure member* attrs are always granted together in read
 permissions

Memberofindirect processing of an entry doesn't work if the user doesn't
have rights to any one of these attributes:
- member
- memberuser
- memberhost

Add all of these to any read permission that specifies any of them.

Add a check to makeaci that will enforce this for any future permissions.

Reviewed-By: Martin Kosek <mkosek@redhat.com>
---
 ipalib/plugins/netgroup.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'ipalib/plugins/netgroup.py')

diff --git a/ipalib/plugins/netgroup.py b/ipalib/plugins/netgroup.py
index 50f139990..8603f4cea 100644
--- a/ipalib/plugins/netgroup.py
+++ b/ipalib/plugins/netgroup.py
@@ -123,7 +123,8 @@ class netgroup(LDAPObject):
             'ipapermbindruletype': 'all',
             'ipapermright': {'read', 'search', 'compare'},
             'ipapermdefaultattr': {
-                'externalhost', 'member', 'memberof', 'memberuser'
+                'externalhost', 'member', 'memberof', 'memberuser',
+                'memberhost',
             },
         },
     }
-- 
cgit