The attribute defined in the targetattr keyword of an ACI is checked against the schema to make sure it is a defined attribute when you are adding a new ACI. If you want to use an attribute subtype, the ACI is rejected since the attribute with subtype is not defined in the schema. We should strip off the subtype when we validate the targetattr keyword against the schema.
Here is an example ACI that is currently being rejected, but should be allowed:
(targetattr=protectedOperation;getKeytab) (version 3.0; acl "allowed retrieval of keytabs"; allow (read) userattr = "allowedToPerform;getKeytab#GROUPDN";)
This example assumes that the "protectedOperation" attribute is defined in the schema.
This issue is related to FreeIPA ticket #3859.
attachment 0001-Ticket-47569-ACIs-do-not-allow-attribute-subtypes-in.patch
Thanks to Rich for his review! Pushed to the following branches:
master - cb73cf2 389-ds-base-1.3.2 - 2b7cbb8
attachment 0001-Ticket-47569-Fix-build-warnings.patch
Pushed build warnings fix to the following branches:
master - 01df89d 389-ds-base-1.3.2 - b5676ab
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1044169
attachment 0001-Ticket-47569-Added-a-testcase-to-ACL-testsuite.patch
You could argue that this patch should go into the dirsrvtests/tickets/ directory and not the dirsrvtests/suites directory, but it's fine and we should really start getting more tests into the "suites" anyway.
Ack.
01fea1f..0c4eafb master -> master commit 0c4eafb Author: Simon Pichugin spichugi@redhat.com Date: Tue Aug 11 16:11:48 2015 +0200
7a4b0a7..48e506d 389-ds-base-1.3.4 -> 389-ds-base-1.3.4 commit 48e506d
dc22924..895dc4f 389-ds-base-1.3.3 -> 389-ds-base-1.3.3 commit 895dc4f
Metadata Update from @nkinder: - Issue assigned to nkinder - Issue set to the milestone: 1.3.2.3
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here: - https://github.com/389ds/389-ds-base/issues/906
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @spichugi: - Issue close_status updated to: wontfix (was: Fixed)
Login to comment on this ticket.