#47569 ACIs do not allow attribute subtypes in targetattr keyword
Closed: Fixed None Opened 6 years ago by nkinder.

The attribute defined in the targetattr keyword of an ACI is checked against the schema to make sure it is a defined attribute when you are adding a new ACI. If you want to use an attribute subtype, the ACI is rejected since the attribute with subtype is not defined in the schema. We should strip off the subtype when we validate the targetattr keyword against the schema.

Here is an example ACI that is currently being rejected, but should be allowed:

(version 3.0;
 acl "allowed retrieval of keytabs";
 allow (read)
 userattr = "allowedToPerform;getKeytab#GROUPDN";)

This example assumes that the "protectedOperation" attribute is defined in the schema.

This issue is related to FreeIPA ticket #3859.

Thanks to Rich for his review! Pushed to the following branches:

master - cb73cf2
389-ds-base-1.3.2 - 2b7cbb8

Pushed build warnings fix to the following branches:

master - 01df89d
389-ds-base-1.3.2 - b5676ab

You could argue that this patch should go into the dirsrvtests/tickets/ directory and not the dirsrvtests/suites directory, but it's fine and we should really start getting more tests into the "suites" anyway.


01fea1f..0c4eafb master -> master
commit 0c4eafb
Author: Simon Pichugin spichugi@redhat.com
Date: Tue Aug 11 16:11:48 2015 +0200

7a4b0a7..48e506d 389-ds-base-1.3.4 -> 389-ds-base-1.3.4
commit 48e506d

dc22924..895dc4f 389-ds-base-1.3.3 -> 389-ds-base-1.3.3
commit 895dc4f

Metadata Update from @nkinder:
- Issue assigned to nkinder
- Issue set to the milestone:

2 years ago

Login to comment on this ticket.