#92 RFE: add exception to removal of attributes in cn=config for aci
Closed: Invalid None Opened 7 years ago by mkosek.

https://bugzilla.redhat.com/show_bug.cgi?id=566320

Description of problem:

It is not possible to do an online deletion of an attribute from cn=config
(probably a good thing).

It would be nice to be able to have an exception that acis can be removed
online.

Version-Release number of selected component (if applicable):

389-ds-base-1.2.3-1.fc12.x86_64

batch update to FUTURE milestone

set default ticket origin to Community

Added initial screened field value.

The functionality is already supported.
How to set up aci to allow to delete:
{{{
1. add 'aci' to nsslapd-allowed-to-delete-attrs in cn=config like this:
cn=config
nsslapd-allowed-to-delete-attrs: nsslapd-securelistenhost aci
2. restart the server
}}}

Test steps:
{{{
Here's the sample aci's set to cn=config:
$ ldapsearch ... -b "cn=config" -s base aci
dn: cn=config
aci:: KHRhcmdldGF0dHI9KikodmVyc2lvbiAzLjA7IGFjbCAiYWNsMSI7IGFsbG93KHdyaXRlKSB1c2VyZG4gPSAibGRhcDovLy9zZWxmIjspIA==
aci: (targetattr=)(version 3.0; acl "acl2"; allow(write) groupdn = "ldap:///cn=Directory Administrators, dc=example,dc=com";)
aci: (targetattr=
)(version 3.0; acl "acl3"; allow(read, search, compare) userdn = "ldap:///anyone";)

This ldapdelete eliminates the specified aci:
$ ldapdelete ... << EOF
dn: cn=config
changetype: modify
delete: aci
aci: (targetattr=*)(version 3.0; acl "acl2"; allow(write) groupdn = "ldap:///cn=Directory Administrators, dc=example,dc=com";)
EOF

$ ldapsearch ... -b "cn=config" -s base aci
dn: cn=config
aci:: KHRhcmdldGF0dHI9KikodmVyc2lvbiAzLjA7IGFjbCAiYWNsMSI7IGFsbG93KHdyaXRlKSB1c2VyZG4gPSAibGRhcDovLy9zZWxmIjspIA==
aci: (targetattr=*)(version 3.0; acl "acl3"; allow(read, search, compare) userdn = "ldap:///anyone";)

This ldapdelete eliminates the all aci's:
$ ldapdelete ... << EOF
dn: cn=config
changetype: modify
delete: aci
EOF

$ ldapsearch ... -b "cn=config" -s base aci
dn: cn=config
$
}}}

Metadata Update from @nhosoi:
- Issue set to the milestone: 1.3.0.rc1

2 years ago

Login to comment on this ticket.

Metadata