I'm working on this project: http://www.freeipa.org/page/V3/OTP
Users need to be able to create, edit and delete their own tokens. Each
token has an attribute: ipatokenOwner.
I attempted creating this ACL: (target =
"ldap:///ipatokenuniqueid=*,cn=otp,dc=example,dc=com")(targetfilter =
"(objectClass=ipaToken)")(version 3.0; acl "token-add-delete"; allow
(add, delete) userattr = "ipatokenOwner#USERDN";)
After much debugging I found out this is impossible because of this:
https://git.fedorahosted.org/cgit/389/ds.git/tree/ldap/servers/plugins/acl/…
Now, in the general case, I can very much understand why this shouldn't
be allowed by default. What alternatives are there with the current
code? Would 389DS be willing to accept a patch to enable this (with a
I_KNOW_WHAT_I_AM_DOING flag)?
The general reason why this feature works in my case is that each object
created restricts the user, rather than granting new privileges. This
seems like a valid use case.
Nathaniel
I just posted this patch:
https://www.redhat.com/archives/freeipa-devel/2013-December/msg00229.html
389ds may be interested in the ISO 8601 parser contained in the patch.
It offers two main advantages to the one already contained in the 389ds
tree:
1. It is *far* more flexible in what it can parse.
2. It is thoroughly tested (currently ~15k tests).
Nathaniel
Hi,
Thanks Rich for having reviewed the changes on ticket 47635.
I made some additional cleanup also covered by this tickets (mainly
around backend).
The following review is not a cumulative set of changes, it is diff from
the previous review.
https://fedorahosted.org/389/attachment/ticket/47635/0001-Ticket-47635-foll…