[389-devel] ACL: Adding object based on owner attribute
Nathaniel McCallum
npmccallum at redhat.com
Wed Jan 8 16:20:51 UTC 2014
On Fri, 2013-12-20 at 17:31 -0500, Nathaniel McCallum wrote:
> I'm working on this project: http://www.freeipa.org/page/V3/OTP
>
> Users need to be able to create, edit and delete their own tokens. Each
> token has an attribute: ipatokenOwner.
>
> I attempted creating this ACL: (target =
> "ldap:///ipatokenuniqueid=*,cn=otp,dc=example,dc=com")(targetfilter =
> "(objectClass=ipaToken)")(version 3.0; acl "token-add-delete"; allow
> (add, delete) userattr = "ipatokenOwner#USERDN";)
>
> After much debugging I found out this is impossible because of this:
> https://git.fedorahosted.org/cgit/389/ds.git/tree/ldap/servers/plugins/acl/acllas.c#n1282
>
> Now, in the general case, I can very much understand why this shouldn't
> be allowed by default. What alternatives are there with the current
> code? Would 389DS be willing to accept a patch to enable this (with a
> I_KNOW_WHAT_I_AM_DOING flag)?
>
> The general reason why this feature works in my case is that each object
> created restricts the user, rather than granting new privileges. This
> seems like a valid use case.
I really appreciate the quick fix for this
(a9cd4e78f1fd1af5de06aca46c8c10ed70bbe4e1)!
Any idea when this will be available in a release and/or Fedora Rawhide?
Nathaniel
More information about the 389-devel
mailing list