The CLI accepts creating a permission with a memberof attribute. However, the attribute is not returned in the response:
# ipa permission-add test --permissions=write --memberof=editors ----------------------- Added permission "test" ----------------------- Permission name: test Permissions: write
It doesn't appear in the show comand either:
# ipa permission-show test --all --raw dn: cn=test,cn=permissions,cn=pbac,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com cn: test permissions: write objectclass: groupofnames objectclass: ipapermission objectclass: top
The attribute is actually stored in LDAP ACI:
aci: (targetfilter = "(memberOf=cn=editors,cn=groups,cn=accounts,dc=idm,dc=lab ,dc=bos,dc=redhat,dc=com)")(version 3.0;acl "permission:test";allow (write) u serdn = "ldap:///self";)
attachment freeipa-rcrit-912-permission.patch
master: 64ee246
(In #2255) #2100 & #2101 are the fixes for this one.
Metadata Update from @edewata: - Issue assigned to rcritten - Issue set to the milestone: FreeIPA 3.0 Core Effort - 2011/12
Login to comment on this ticket.