The attribute defined in the targetattr keyword of an ACI is checked against the schema to make sure it is a defined attribute when you are adding a new ACI. If you want to use an attribute subtype, the ACI is rejected since the attribute with subtype is not defined in the schema. We should strip off the subtype when we validate the targetattr keyword against the schema.
Here is an example ACI that is currently being rejected, but should be allowed:
acl "allowed retrieval of keytabs";
userattr = "allowedToPerform;getKeytab#GROUPDN";)
This example assumes that the "protectedOperation" attribute is defined in the schema.
This issue is related to FreeIPA ticket #3859.
Thanks to Rich for his review! Pushed to the following branches:
master - cb73cf2
389-ds-base-1.3.2 - 2b7cbb8
Pushed build warnings fix to the following branches:
master - 01df89d
389-ds-base-1.3.2 - b5676ab
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1044169
You could argue that this patch should go into the dirsrvtests/tickets/ directory and not the dirsrvtests/suites directory, but it's fine and we should really start getting more tests into the "suites" anyway.
01fea1f..0c4eafb master -> master
Author: Simon Pichugin firstname.lastname@example.org
Date: Tue Aug 11 16:11:48 2015 +0200
7a4b0a7..48e506d 389-ds-base-1.3.4 -> 389-ds-base-1.3.4
dc22924..895dc4f 389-ds-base-1.3.3 -> 389-ds-base-1.3.3
Metadata Update from @nkinder:
- Issue assigned to nkinder
- Issue set to the milestone: 184.108.40.206
to comment on this ticket.