search

abbra / freeipa

Mirror of FreeIPA, an integrated security information management solution
http://www.freeipa.org
GNU General Public License v3.0
2 stars 1 forks source link

External idp impl #78

Closed flo-renaud closed 3 years ago

flo-renaud commented 3 years ago
flo-renaud commented 3 years ago

Hi @abbra thanks for the review. I removed the unicode prefix (hope I didn't forget it anywhere) and fixed the uppercase in IdP.

Also should we add 'admins' group to the default privilege?

By default admins can manage any entry thanks to the following ACI on the basedn:

aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sam
 baNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonica
 lName || krbPwdHistory || krbLastPwdChange || krbExtraData || krbLastSuccessf
 ulAuth || krbLastFailedAuth || ipaUniqueId || memberOf || enrolledBy || ipaNT
 Hash || ipaProtectedOperation")(version 3.0; acl "Admin can manage any entry"
 ; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=ipa,dc=te
 st";)
abbra commented 3 years ago

Thanks. I think there is one place with u'..' left in tests. API.txt file has u'..' as well but those are generated and kept this way so they are OK.

flo-renaud commented 3 years ago

I forgot to re-run makeaci and makeapi, it may fix some of the u'..' issues. I'm on it...

Update: no change, API.txt is always generated with u'..'. Regarding the remaining u'..' or u".." I didn't find any in the new code, can you point me to the line?

abbra commented 3 years ago

Right, it was not in the new code -- only in the context lines.

abbra commented 3 years ago

Merged, thanks!