From b6258d08d6c5605b32151654c6259f7c77f1a32b Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pviktori@redhat.com>
Date: Tue, 10 Jun 2014 12:31:29 +0200
Subject: Make sure member* attrs are always granted together in read
 permissions

Memberofindirect processing of an entry doesn't work if the user doesn't
have rights to any one of these attributes:
- member
- memberuser
- memberhost

Add all of these to any read permission that specifies any of them.

Add a check to makeaci that will enforce this for any future permissions.

Reviewed-By: Martin Kosek <mkosek@redhat.com>
---
 ipalib/plugins/sudocmdgroup.py | 1 +
 1 file changed, 1 insertion(+)

(limited to 'ipalib/plugins/sudocmdgroup.py')

diff --git a/ipalib/plugins/sudocmdgroup.py b/ipalib/plugins/sudocmdgroup.py
index 44883f430..adde3abdb 100644
--- a/ipalib/plugins/sudocmdgroup.py
+++ b/ipalib/plugins/sudocmdgroup.py
@@ -75,6 +75,7 @@ class sudocmdgroup(LDAPObject):
             'ipapermdefaultattr': {
                 'businesscategory', 'cn', 'description', 'ipauniqueid',
                 'member', 'o', 'objectclass', 'ou', 'owner', 'seealso',
+                'memberuser', 'memberhost',
             },
         },
     }
-- 
cgit