Current ACI allowing replica admins to read replication agreements is too allowing in terms of cn=config exposure and is also not bound to any permission, thus does not allows users to assign it.
The patch for this would do basically this:
remove the following aci from both installer and current deployments:
(targetattr != aci)(version 3.0; aci "replica admins read access"; allow (read, search, compare) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
add new permission ACI like this:
(targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "permission:Read Replication Agreements"; allow (read, search, compare) groupdn = "ldap:///cn=Read Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
make sure that "Replication Administrators" privilege has it assigned the new read permission
Related ticket: #2770.
Moving to next release milestone, as agreed on today's meeeting.
3.4 development was shifted by one month, moving tickets to reflect reality better.
This ticket may be related to pviktori's ACI refactoring effort.
Adjusting time plan - 3.4 development was postponed as we focused on 3.3.x testing and stabilization.
Moving unfinished November tickets to January.
We did not receive any patch from James, reassigning to Petr who is doing the ACI refactoring in 3.4. I would like this change to be part of it.
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1108215
Metadata Update from @mkosek:
- Issue assigned to pviktori
- Issue set to the milestone: FreeIPA 4.0 - 2014/04
to comment on this ticket.