#3829 Make Read replication agreements permission less more targeted
Closed: Fixed None Opened 10 years ago by mkosek.

Current ACI allowing replica admins to read replication agreements is too allowing in terms of cn=config exposure and is also not bound to any permission, thus does not allows users to assign it.

The patch for this would do basically this:

  • remove the following aci from both installer and current deployments:

    (targetattr != aci)(version 3.0; aci "replica admins read access"; allow (read, search, compare) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)

  • add new permission ACI like this:

    (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "permission:Read Replication Agreements"; allow (read, search, compare) groupdn = "ldap:///cn=Read Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)

  • make sure that "Replication Administrators" privilege has it assigned the new read permission

Moving to next release milestone, as agreed on today's meeeting.

3.4 development was shifted by one month, moving tickets to reflect reality better.

This ticket may be related to pviktori's ACI refactoring effort.

Adjusting time plan - 3.4 development was postponed as we focused on 3.3.x testing and stabilization.

Moving unfinished November tickets to January.

We did not receive any patch from James, reassigning to Petr who is doing the ACI refactoring in 3.4. I would like this change to be part of it.


  • 86f943c Replace "replica admins read access" ACI with a permission

Metadata Update from @mkosek:
- Issue assigned to pviktori
- Issue set to the milestone: FreeIPA 4.0 - 2014/04

7 years ago

Log in to comment on this ticket.