summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPetr Viktorin <pviktori@redhat.com>2014-05-28 12:42:02 +0200
committerPetr Viktorin <pviktori@redhat.com>2014-05-29 16:22:37 +0200
commit32efe5a887cba29165641419e0ee029d29ad020a (patch)
treef319dc03620eb1b56ad1099c04da880cce0aa516
parent647fa1db85c108f57d95a3f5e486525610b8ade4 (diff)
downloadfreeipa-32efe5a887cba29165641419e0ee029d29ad020a.tar.gz
freeipa-32efe5a887cba29165641419e0ee029d29ad020a.tar.xz
freeipa-32efe5a887cba29165641419e0ee029d29ad020a.zip
Add managed read permission for the UPG Definition
Since user_add checks the UPG definition to see if UPG is enabled, user admins need read access to add users correctly. All attributes are allowed since UPG Definition is an extensibleObject; the needed attributes are not in the schema. Part of the work for: https://fedorahosted.org/freeipa/ticket/3566 Reviewed-By: Martin Kosek <mkosek@redhat.com>
-rw-r--r--ipalib/plugins/user.py17
1 files changed, 17 insertions, 0 deletions
diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py
index 604502ee7..27ad36b7f 100644
--- a/ipalib/plugins/user.py
+++ b/ipalib/plugins/user.py
@@ -111,6 +111,12 @@ status_output_params = (
),
)
+UPG_DEFINITION_DN = DN(('cn', 'UPG Definition'),
+ ('cn', 'Definitions'),
+ ('cn', 'Managed Entries'),
+ ('cn', 'etc'),
+ api.env.basedn)
+
# characters to be used for generating random user passwords
user_pwdchars = string.digits + string.ascii_letters + '_,.@+-='
@@ -319,6 +325,17 @@ class user(LDAPObject):
'memberof',
},
},
+ 'System: Read UPG Definition': {
+ # Required for adding users
+ 'replaces_global_anonymous_aci': True,
+ 'non_object': True,
+ 'ipapermlocation': UPG_DEFINITION_DN,
+ 'ipapermtarget': UPG_DEFINITION_DN,
+ 'ipapermbindruletype': 'permission',
+ 'ipapermright': {'read', 'search', 'compare'},
+ 'ipapermdefaultattr': {'*'},
+ 'default_privileges': {'User Administrators'},
+ },
}
label = _('Users')