Make sure member* attrs are always granted together in read permissions

Memberofindirect processing of an entry doesn't work if the user doesn't have rights to any one of these attributes: - member - memberuser - memberhost Add all of these to any read permission that specifies any of them. Add a check to makeaci that will enforce this for any future permissions. Reviewed-By: Martin Kosek <mkosek@redhat.com>
author: Petr Viktorin <pviktori@redhat.com> 2014-06-10 12:31:29 +0200
committer: Petr Viktorin <pviktori@redhat.com> 2014-06-11 13:21:30 +0200
commit: b6258d08d6c5605b32151654c6259f7c77f1a32b (patch)
tree: 7498bba33fa7f720e86ceec7203333da88a27719
parent: 2f3cdba54620989afba0ce1b423cddb56b841ab3 (diff)
download: freeipa-b6258d08d6c5605b32151654c6259f7c77f1a32b.tar.gz
freeipa-b6258d08d6c5605b32151654c6259f7c77f1a32b.tar.xz
freeipa-b6258d08d6c5605b32151654c6259f7c77f1a32b.zip
13 files changed, 43 insertions, 20 deletions
diff --git a/ACI.txt b/ACI.txt
index 011b0aeae..2ceaacc07 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -11,21 +11,21 @@ aci: (targetattr = "cn || ipacertificatesubjectbase || ipaconfigstring || ipacus
 dn: cn=System: Read Group Password Policy costemplate,cn=permissions,cn=pbac,dc=ipa,dc=example
 aci: (targetattr = "cn || cospriority || krbpwdpolicyreference || objectclass")(targetfilter = "(objectclass=costemplate)")(version 3.0;acl "permission:System: Read Group Password Policy costemplate";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Group Password Policy costemplate,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=System: Read Group Membership,cn=permissions,cn=pbac,dc=ipa,dc=example
-aci: (targetattr = "member || memberof || memberuid")(targetfilter = "(objectclass=ipausergroup)")(version 3.0;acl "permission:System: Read Group Membership";allow (compare,read,search) userdn = "ldap:///all";)
+aci: (targetattr = "member || memberhost || memberof || memberuid || memberuser")(targetfilter = "(objectclass=ipausergroup)")(version 3.0;acl "permission:System: Read Group Membership";allow (compare,read,search) userdn = "ldap:///all";)
 dn: cn=System: Read Groups,cn=permissions,cn=pbac,dc=ipa,dc=example
 aci: (targetattr = "businesscategory || cn || description || gidnumber || ipaexternalmember || ipauniqueid || mepmanagedby || o || objectclass || ou || owner || seealso")(targetfilter = "(objectclass=ipausergroup)")(version 3.0;acl "permission:System: Read Groups";allow (compare,read,search) userdn = "ldap:///anyone";)
 dn: cn=System: Read HBAC Rules,cn=permissions,cn=pbac,dc=ipa,dc=example
-aci: (targetattr = "accessruletype || accesstime || cn || description || externalhost || hostcategory || ipaenabledflag || ipauniqueid || memberhost || memberservice || memberuser || objectclass || servicecategory || sourcehost || sourcehostcategory || usercategory")(targetfilter = "(objectclass=ipahbacrule)")(version 3.0;acl "permission:System: Read HBAC Rules";allow (compare,read,search) userdn = "ldap:///all";)
+aci: (targetattr = "accessruletype || accesstime || cn || description || externalhost || hostcategory || ipaenabledflag || ipauniqueid || member || memberhost || memberservice || memberuser || objectclass || servicecategory || sourcehost || sourcehostcategory || usercategory")(targetfilter = "(objectclass=ipahbacrule)")(version 3.0;acl "permission:System: Read HBAC Rules";allow (compare,read,search) userdn = "ldap:///all";)
 dn: cn=System: Read HBAC Services,cn=permissions,cn=pbac,dc=ipa,dc=example
 aci: (targetattr = "cn || description || ipauniqueid || memberof || objectclass")(targetfilter = "(objectclass=ipahbacservice)")(version 3.0;acl "permission:System: Read HBAC Services";allow (compare,read,search) userdn = "ldap:///all";)
 dn: cn=System: Read HBAC Service Groups,cn=permissions,cn=pbac,dc=ipa,dc=example
-aci: (targetattr = "businesscategory || cn || description || ipauniqueid || member || o || objectclass || ou || owner || seealso")(targetfilter = "(objectclass=ipahbacservicegroup)")(version 3.0;acl "permission:System: Read HBAC Service Groups";allow (compare,read,search) userdn = "ldap:///all";)
+aci: (targetattr = "businesscategory || cn || description || ipauniqueid || member || memberhost || memberuser || o || objectclass || ou || owner || seealso")(targetfilter = "(objectclass=ipahbacservicegroup)")(version 3.0;acl "permission:System: Read HBAC Service Groups";allow (compare,read,search) userdn = "ldap:///all";)
 dn: cn=System: Read Host Membership,cn=permissions,cn=pbac,dc=ipa,dc=example
 aci: (targetattr = "memberof")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Read Host Membership";allow (compare,read,search) userdn = "ldap:///all";)
 dn: cn=System: Read Hosts,cn=permissions,cn=pbac,dc=ipa,dc=example
 aci: (targetattr = "cn || description || enrolledby || fqdn || ipaclientversion || ipakrbauthzdata || ipasshpubkey || ipauniqueid || krbcanonicalname || krblastpwdchange || krbpasswordexpiration || krbprincipalaliases || krbprincipalexpiration || krbprincipalname || l || macaddress || managedby || nshardwareplatform || nshostlocation || nsosversion || objectclass || serverhostname || usercertificate || userclass")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Read Hosts";allow (compare,read,search) userdn = "ldap:///all";)
 dn: cn=System: Read Hostgroup Membership,cn=permissions,cn=pbac,dc=ipa,dc=example
-aci: (targetattr = "member || memberof")(targetfilter = "(objectclass=ipahostgroup)")(version 3.0;acl "permission:System: Read Hostgroup Membership";allow (compare,read,search) userdn = "ldap:///all";)
+aci: (targetattr = "member || memberhost || memberof || memberuser")(targetfilter = "(objectclass=ipahostgroup)")(version 3.0;acl "permission:System: Read Hostgroup Membership";allow (compare,read,search) userdn = "ldap:///all";)
 dn: cn=System: Read Hostgroups,cn=permissions,cn=pbac,dc=ipa,dc=example
 aci: (targetattr = "businesscategory || cn || description || ipauniqueid || o || objectclass || ou || owner || seealso")(targetfilter = "(objectclass=ipahostgroup)")(version 3.0;acl "permission:System: Read Hostgroups";allow (compare,read,search) userdn = "ldap:///all";)
 dn: cn=System: Read ID Ranges,cn=permissions,cn=pbac,dc=ipa,dc=example
@@ -35,29 +35,29 @@ aci: (targetattr = "krbdefaultencsalttypes || krbmaxrenewableage || krbmaxticket
 dn: cn=System: Read User Kerberos Ticket Policy,cn=permissions,cn=pbac,dc=ipa,dc=example
 aci: (targetattr = "krbmaxrenewableage || krbmaxticketlife")(targetfilter = "(objectclass=krbticketpolicyaux)")(version 3.0;acl "permission:System: Read User Kerberos Ticket Policy";allow (compare,read,search) groupdn = "ldap:///cn=System: Read User Kerberos Ticket Policy,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=System: Read Netgroup Membership,cn=permissions,cn=pbac,dc=ipa,dc=example
-aci: (targetattr = "externalhost || member || memberof || memberuser")(targetfilter = "(objectclass=ipanisnetgroup)")(version 3.0;acl "permission:System: Read Netgroup Membership";allow (compare,read,search) userdn = "ldap:///all";)
+aci: (targetattr = "externalhost || member || memberhost || memberof || memberuser")(targetfilter = "(objectclass=ipanisnetgroup)")(version 3.0;acl "permission:System: Read Netgroup Membership";allow (compare,read,search) userdn = "ldap:///all";)
 dn: cn=System: Read Netgroups,cn=permissions,cn=pbac,dc=ipa,dc=example
 aci: (targetattr = "cn || description || hostcategory || ipaenabledflag || ipauniqueid || nisdomainname || usercategory")(targetfilter = "(objectclass=ipanisnetgroup)")(version 3.0;acl "permission:System: Read Netgroups";allow (compare,read,search) userdn = "ldap:///all";)
 dn: cn=System: Read ACIs,cn=permissions,cn=pbac,dc=ipa,dc=example
 aci: (targetattr = "aci")(version 3.0;acl "permission:System: Read ACIs";allow (compare,read,search) groupdn = "ldap:///cn=System: Read ACIs,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=System: Read Permissions,cn=permissions,cn=pbac,dc=ipa,dc=example
-aci: (targetattr = "businesscategory || cn || description || ipapermbindruletype || ipapermdefaultattr || ipapermexcludedattr || ipapermincludedattr || ipapermissiontype || ipapermlocation || ipapermright || ipapermtarget || ipapermtargetfilter || member || memberof || o || objectclass || ou || owner || seealso")(targetfilter = "(objectclass=ipapermission)")(version 3.0;acl "permission:System: Read Permissions";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Permissions,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+aci: (targetattr = "businesscategory || cn || description || ipapermbindruletype || ipapermdefaultattr || ipapermexcludedattr || ipapermincludedattr || ipapermissiontype || ipapermlocation || ipapermright || ipapermtarget || ipapermtargetfilter || member || memberhost || memberof || memberuser || o || objectclass || ou || owner || seealso")(targetfilter = "(objectclass=ipapermission)")(version 3.0;acl "permission:System: Read Permissions";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Permissions,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=System: Read Privileges,cn=permissions,cn=pbac,dc=ipa,dc=example
-aci: (targetattr = "businesscategory || cn || description || member || memberof || o || objectclass || ou || owner || seealso")(targetfilter = "(objectclass=groupofnames)")(version 3.0;acl "permission:System: Read Privileges";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Privileges,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+aci: (targetattr = "businesscategory || cn || description || member || memberhost || memberof || memberuser || o || objectclass || ou || owner || seealso")(targetfilter = "(objectclass=groupofnames)")(version 3.0;acl "permission:System: Read Privileges";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Privileges,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=System: Read Group Password Policy,cn=permissions,cn=pbac,dc=ipa,dc=example
 aci: (targetattr = "cn || cospriority || krbmaxpwdlife || krbminpwdlife || krbpwdfailurecountinterval || krbpwdhistorylength || krbpwdlockoutduration || krbpwdmaxfailure || krbpwdmindiffchars || krbpwdminlength || objectclass")(targetfilter = "(objectclass=krbpwdpolicy)")(version 3.0;acl "permission:System: Read Group Password Policy";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Group Password Policy,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=System: Read Realm Domains,cn=permissions,cn=pbac,dc=ipa,dc=example
 aci: (targetattr = "associateddomain || cn || objectclass")(targetfilter = "(objectclass=domainrelatedobject)")(version 3.0;acl "permission:System: Read Realm Domains";allow (compare,read,search) userdn = "ldap:///all";)
 dn: cn=System: Read Roles,cn=permissions,cn=pbac,dc=ipa,dc=example
-aci: (targetattr = "businesscategory || cn || description || member || memberof || o || objectclass || ou || owner || seealso")(targetfilter = "(objectclass=groupofnames)")(version 3.0;acl "permission:System: Read Roles";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Roles,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+aci: (targetattr = "businesscategory || cn || description || member || memberhost || memberof || memberuser || o || objectclass || ou || owner || seealso")(targetfilter = "(objectclass=groupofnames)")(version 3.0;acl "permission:System: Read Roles";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Roles,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=System: Read SELinux User Maps,cn=permissions,cn=pbac,dc=ipa,dc=example
-aci: (targetattr = "accesstime || cn || description || hostcategory || ipaenabledflag || ipaselinuxuser || ipauniqueid || memberhost || memberuser || objectclass || seealso || usercategory")(targetfilter = "(objectclass=ipaselinuxusermap)")(version 3.0;acl "permission:System: Read SELinux User Maps";allow (compare,read,search) userdn = "ldap:///all";)
+aci: (targetattr = "accesstime || cn || description || hostcategory || ipaenabledflag || ipaselinuxuser || ipauniqueid || member || memberhost || memberuser || objectclass || seealso || usercategory")(targetfilter = "(objectclass=ipaselinuxusermap)")(version 3.0;acl "permission:System: Read SELinux User Maps";allow (compare,read,search) userdn = "ldap:///all";)
 dn: cn=System: Read Services,cn=permissions,cn=pbac,dc=ipa,dc=example
 aci: (targetattr = "ipakrbauthzdata || ipakrbprincipalalias || ipauniqueid || krbcanonicalname || krblastpwdchange || krbobjectreferences || krbpasswordexpiration || krbprincipalaliases || krbprincipalexpiration || krbprincipalname || managedby || memberof || objectclass || usercertificate")(targetfilter = "(objectclass=ipaservice)")(version 3.0;acl "permission:System: Read Services";allow (compare,read,search) userdn = "ldap:///all";)
 dn: cn=System: Read Sudo Commands,cn=permissions,cn=pbac,dc=ipa,dc=example
 aci: (targetattr = "description || ipauniqueid || memberof || objectclass || sudocmd")(targetfilter = "(objectclass=ipasudocmd)")(version 3.0;acl "permission:System: Read Sudo Commands";allow (compare,read,search) userdn = "ldap:///all";)
 dn: cn=System: Read Sudo Command Groups,cn=permissions,cn=pbac,dc=ipa,dc=example
-aci: (targetattr = "businesscategory || cn || description || ipauniqueid || member || o || objectclass || ou || owner || seealso")(targetfilter = "(objectclass=ipasudocmdgrp)")(version 3.0;acl "permission:System: Read Sudo Command Groups";allow (compare,read,search) userdn = "ldap:///all";)
+aci: (targetattr = "businesscategory || cn || description || ipauniqueid || member || memberhost || memberuser || o || objectclass || ou || owner || seealso")(targetfilter = "(objectclass=ipasudocmdgrp)")(version 3.0;acl "permission:System: Read Sudo Command Groups";allow (compare,read,search) userdn = "ldap:///all";)
 dn: cn=System: Add Sudo rule,cn=permissions,cn=pbac,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=ipasudorule)")(version 3.0;acl "permission:System: Add Sudo rule";allow (add) groupdn = "ldap:///cn=System: Add Sudo rule,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=System: Delete Sudo rule,cn=permissions,cn=pbac,dc=ipa,dc=example
@@ -65,7 +65,7 @@ aci: (targetfilter = "(objectclass=ipasudorule)")(version 3.0;acl "permission:Sy
 dn: cn=System: Modify Sudo rule,cn=permissions,cn=pbac,dc=ipa,dc=example
 aci: (targetattr = "cmdcategory || description || externalhost || externaluser || hostcategory || hostmask || ipaenabledflag || ipasudoopt || ipasudorunas || ipasudorunasextgroup || ipasudorunasextuser || ipasudorunasgroup || ipasudorunasgroupcategory || ipasudorunasusercategory || memberallowcmd || memberdenycmd || memberhost || memberuser || sudonotafter || sudonotbefore || sudoorder || usercategory")(targetfilter = "(objectclass=ipasudorule)")(version 3.0;acl "permission:System: Modify Sudo rule";allow (write) groupdn = "ldap:///cn=System: Modify Sudo rule,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=System: Read Sudo Rules,cn=permissions,cn=pbac,dc=ipa,dc=example
-aci: (targetattr = "cmdcategory || cn || description || externalhost || externaluser || hostcategory || hostmask || ipaenabledflag || ipasudoopt || ipasudorunas || ipasudorunasextgroup || ipasudorunasextuser || ipasudorunasgroup || ipasudorunasgroupcategory || ipasudorunasusercategory || ipauniqueid || memberallowcmd || memberdenycmd || memberhost || memberuser || objectclass || sudonotafter || sudonotbefore || sudoorder || usercategory")(targetfilter = "(objectclass=ipasudorule)")(version 3.0;acl "permission:System: Read Sudo Rules";allow (compare,read,search) userdn = "ldap:///all";)
+aci: (targetattr = "cmdcategory || cn || description || externalhost || externaluser || hostcategory || hostmask || ipaenabledflag || ipasudoopt || ipasudorunas || ipasudorunasextgroup || ipasudorunasextuser || ipasudorunasgroup || ipasudorunasgroupcategory || ipasudorunasusercategory || ipauniqueid || member || memberallowcmd || memberdenycmd || memberhost || memberuser || objectclass || sudonotafter || sudonotbefore || sudoorder || usercategory")(targetfilter = "(objectclass=ipasudorule)")(version 3.0;acl "permission:System: Read Sudo Rules";allow (compare,read,search) userdn = "ldap:///all";)
 dn: cn=System: Read Sudoers compat tree,cn=permissions,cn=pbac,dc=ipa,dc=example
 aci: (targetattr = "cn || description || objectclass || ou || sudocommand || sudohost || sudonotafter || sudonotbefore || sudooption || sudoorder || sudorunas || sudorunasgroup || sudorunasuser || sudouser")(target = "ldap:///ou=sudoers,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read Sudoers compat tree";allow (compare,read,search) userdn = "ldap:///all";)
 dn: cn=System: Read Trust Information,cn=permissions,cn=pbac,dc=ipa,dc=example
diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py
index 0de577dd0..581ee70b6 100644
--- a/ipalib/plugins/group.py
+++ b/ipalib/plugins/group.py
@@ -157,7 +157,7 @@ class group(LDAPObject):
             'ipapermbindruletype': 'all',
             'ipapermright': {'read', 'search', 'compare'},
             'ipapermdefaultattr': {
-                'member', 'memberof', 'memberuid',
+                'member', 'memberof', 'memberuid', 'memberuser', 'memberhost',
             },
         },
     }
diff --git a/ipalib/plugins/hbacrule.py b/ipalib/plugins/hbacrule.py
index b9b5cc87f..22844345b 100644
--- a/ipalib/plugins/hbacrule.py
+++ b/ipalib/plugins/hbacrule.py
@@ -144,7 +144,7 @@ class hbacrule(LDAPObject):
                 'externalhost', 'hostcategory', 'ipaenabledflag',
                 'ipauniqueid', 'memberhost', 'memberservice', 'memberuser',
                 'servicecategory', 'sourcehost', 'sourcehostcategory',
-                'usercategory', 'objectclass',
+                'usercategory', 'objectclass', 'member',
             },
         },
     }
diff --git a/ipalib/plugins/hbacsvcgroup.py b/ipalib/plugins/hbacsvcgroup.py
index 9884f2658..d0f25932e 100644
--- a/ipalib/plugins/hbacsvcgroup.py
+++ b/ipalib/plugins/hbacsvcgroup.py
@@ -70,6 +70,7 @@ class hbacsvcgroup(LDAPObject):
             'ipapermdefaultattr': {
                 'businesscategory', 'cn', 'description', 'ipauniqueid',
                 'member', 'o', 'objectclass', 'ou', 'owner', 'seealso',
+                'memberuser', 'memberhost',
             },
         },
     }
diff --git a/ipalib/plugins/hostgroup.py b/ipalib/plugins/hostgroup.py
index 6420fb3ad..711ed8972 100644
--- a/ipalib/plugins/hostgroup.py
+++ b/ipalib/plugins/hostgroup.py
@@ -91,7 +91,7 @@ class hostgroup(LDAPObject):
             'ipapermbindruletype': 'all',
             'ipapermright': {'read', 'search', 'compare'},
             'ipapermdefaultattr': {
-                'member', 'memberof',
+                'member', 'memberof', 'memberuser', 'memberhost',
             },
         },
     }
diff --git a/ipalib/plugins/netgroup.py b/ipalib/plugins/netgroup.py
index 50f139990..8603f4cea 100644
--- a/ipalib/plugins/netgroup.py
+++ b/ipalib/plugins/netgroup.py
@@ -123,7 +123,8 @@ class netgroup(LDAPObject):
             'ipapermbindruletype': 'all',
             'ipapermright': {'read', 'search', 'compare'},
             'ipapermdefaultattr': {
-                'externalhost', 'member', 'memberof', 'memberuser'
+                'externalhost', 'member', 'memberof', 'memberuser',
+                'memberhost',
             },
         },
     }
diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py
index bd225b92a..3c2127fcc 100644
--- a/ipalib/plugins/permission.py
+++ b/ipalib/plugins/permission.py
@@ -192,7 +192,7 @@ class permission(baseldap.LDAPObject):
                 'ipapermdefaultattr', 'ipapermincludedattr',
                 'ipapermexcludedattr', 'ipapermbindruletype', 'ipapermtarget',
                 'ipapermlocation', 'ipapermright', 'ipapermtargetfilter',
-                'member', 'memberof',
+                'member', 'memberof', 'memberuser', 'memberhost',
             },
             'default_privileges': {'RBAC Readers'},
         },
diff --git a/ipalib/plugins/privilege.py b/ipalib/plugins/privilege.py
index c0ab96646..cff6fe197 100644
--- a/ipalib/plugins/privilege.py
+++ b/ipalib/plugins/privilege.py
@@ -70,7 +70,8 @@ class privilege(LDAPObject):
             'ipapermright': {'read', 'search', 'compare'},
             'ipapermdefaultattr': {
                 'businesscategory', 'cn', 'description', 'member', 'memberof',
-                'o', 'objectclass', 'ou', 'owner', 'seealso',
+                'o', 'objectclass', 'ou', 'owner', 'seealso', 'memberuser',
+                'memberhost',
             },
             'default_privileges': {'RBAC Readers'},
         },
diff --git a/ipalib/plugins/role.py b/ipalib/plugins/role.py
index c881b5b8b..cd56f7f47 100644
--- a/ipalib/plugins/role.py
+++ b/ipalib/plugins/role.py
@@ -88,7 +88,8 @@ class role(LDAPObject):
             'ipapermright': {'read', 'search', 'compare'},
             'ipapermdefaultattr': {
                 'businesscategory', 'cn', 'description', 'member', 'memberof',
-                'o', 'objectclass', 'ou', 'owner', 'seealso',
+                'o', 'objectclass', 'ou', 'owner', 'seealso', 'memberuser',
+                'memberhost',
             },
             'default_privileges': {'RBAC Readers'},
         },
diff --git a/ipalib/plugins/selinuxusermap.py b/ipalib/plugins/selinuxusermap.py
index 7efabaaa6..d84503996 100644
--- a/ipalib/plugins/selinuxusermap.py
+++ b/ipalib/plugins/selinuxusermap.py
@@ -160,7 +160,7 @@ class selinuxusermap(LDAPObject):
                 'accesstime', 'cn', 'description', 'hostcategory',
                 'ipaenabledflag', 'ipaselinuxuser', 'ipauniqueid',
                 'memberhost', 'memberuser', 'seealso', 'usercategory',
-                'objectclass',
+                'objectclass', 'member',
             },
         },
     }
diff --git a/ipalib/plugins/sudocmdgroup.py b/ipalib/plugins/sudocmdgroup.py
index 44883f430..adde3abdb 100644
--- a/ipalib/plugins/sudocmdgroup.py
+++ b/ipalib/plugins/sudocmdgroup.py
@@ -75,6 +75,7 @@ class sudocmdgroup(LDAPObject):
             'ipapermdefaultattr': {
                 'businesscategory', 'cn', 'description', 'ipauniqueid',
                 'member', 'o', 'objectclass', 'ou', 'owner', 'seealso',
+                'memberuser', 'memberhost',
             },
         },
     }
diff --git a/ipalib/plugins/sudorule.py b/ipalib/plugins/sudorule.py
index b6893310d..9c2e7c51e 100644
--- a/ipalib/plugins/sudorule.py
+++ b/ipalib/plugins/sudorule.py
@@ -133,7 +133,7 @@ class sudorule(LDAPObject):
                 'ipasudorunasgroupcategory', 'ipasudorunasusercategory',
                 'ipauniqueid', 'memberallowcmd', 'memberdenycmd',
                 'memberhost', 'memberuser', 'sudonotafter', 'sudonotbefore',
-                'sudoorder', 'usercategory', 'objectclass',
+                'sudoorder', 'usercategory', 'objectclass', 'member',
             },
         },
         'System: Read Sudoers compat tree': {
diff --git a/makeaci b/makeaci
index ab823558d..6c1a4603c 100755
--- a/makeaci
+++ b/makeaci
@@ -72,6 +72,24 @@ def generate_aci_lines(api):
         yield 'dn: %s\n' % dn
         yield 'aci: %s\n' % aci
 
+        check_member_attrs(name, template)
+
+
+def check_member_attrs(name, template):
+    """Check that member* attrs are always present together for read
+
+    ldap2._process_memberofindirect reads all these attributes together;
+    if the user doesn't have rights to one of them, the entire entry is
+    left out and memberofindirect processing returns wrong a result.
+    So we need all of them be readable.
+    """
+    checked_attrs = ['member', 'memberuser', 'memberhost']
+    perm_attrs = template.get('ipapermdefaultattr', ())
+    flags = [(a in perm_attrs) for a in checked_attrs]
+    if 'read' in template['ipapermright'] and any(flags) and not all(flags):
+        raise AssertionError("'%s' includes some  but not all of %s" %
+                             (name, checked_attrs))
+
 
 def main(options):
     api.bootstrap(
author	Petr Viktorin <pviktori@redhat.com>	2014-06-10 12:31:29 +0200
committer	Petr Viktorin <pviktori@redhat.com>	2014-06-11 13:21:30 +0200
commit	b6258d08d6c5605b32151654c6259f7c77f1a32b (patch)
tree	7498bba33fa7f720e86ceec7203333da88a27719
parent	2f3cdba54620989afba0ce1b423cddb56b841ab3 (diff)
download	freeipa-b6258d08d6c5605b32151654c6259f7c77f1a32b.tar.gz freeipa-b6258d08d6c5605b32151654c6259f7c77f1a32b.tar.xz freeipa-b6258d08d6c5605b32151654c6259f7c77f1a32b.zip