9dda004 Allow permissions with 'self' bindruletype

6 files Authored by cheimes 3 years ago, Committed by abbra 3 years ago,
    Allow permissions with 'self' bindruletype
    
    Make it possible to create a managed permission with
    ipapermbindruletype="self". The ACI will have bind rule
    '(userdn = "ldap:///self")'.
    
    Example
    -------
    
    Allow users to modify their own fasTimezone and fasIRCNick attributes:
    
    ```
    managed_permissions = {
        "System: Self-Modify FAS user attributes": {
            "ipapermright": {"write"},
            "ipapermtargetfilter": ["(objectclass=fasuser)"],
            "ipapermbindruletype": "self",
            "ipapermdefaultattr": ["fasTimezone", "fasIRCNick"],
        }
    }
    ```
    
    See: https://github.com/fedora-infra/freeipa-fas/pull/107
    Fixes: https://pagure.io/freeipa/issue/8348
    Signed-off-by: Christian Heimes <cheimes@redhat.com>
    Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
    Reviewed-By: Rob Crittenden <rcritten@redhat.com>
    
        
file modified
+3 -3
file modified
+2 -2