mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-22 23:23:30 -06:00
radiusproxy: add permission for reading radius proxy servers
A non-admin user which has the "User Administrator" role cannot add a user with ipa user-add --radius=<proxy> because the call needs to read the radius proxy server entries. The fix adds a System permission for reading radius proxy server entries (all attributes except the ipatokenradiussecret). This permission is added to the already existing privileges "User Administrators" and "Stage User Administrators", so that the role "User Administrator" can call ipa [stage]user-add|mod --radius=<proxy> Fixes: https://pagure.io/freeipa/issue/7570 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com>
This commit is contained in:
parent
1c2c2ee6f8
commit
5d603fce5d
2
ACI.txt
2
ACI.txt
@ -234,6 +234,8 @@ dn: cn=IPA.EXAMPLE,cn=kerberos,dc=ipa,dc=example
|
||||
aci: (targetattr = "krbmaxpwdlife || krbminpwdlife || krbpwdfailurecountinterval || krbpwdhistorylength || krbpwdlockoutduration || krbpwdmaxfailure || krbpwdmindiffchars || krbpwdminlength")(targetfilter = "(objectclass=krbpwdpolicy)")(version 3.0;acl "permission:System: Modify Group Password Policy";allow (write) groupdn = "ldap:///cn=System: Modify Group Password Policy,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
||||
dn: cn=IPA.EXAMPLE,cn=kerberos,dc=ipa,dc=example
|
||||
aci: (targetattr = "cn || cospriority || createtimestamp || entryusn || krbmaxpwdlife || krbminpwdlife || krbpwdfailurecountinterval || krbpwdhistorylength || krbpwdlockoutduration || krbpwdmaxfailure || krbpwdmindiffchars || krbpwdminlength || modifytimestamp || objectclass")(targetfilter = "(objectclass=krbpwdpolicy)")(version 3.0;acl "permission:System: Read Group Password Policy";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Group Password Policy,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
||||
dn: cn=radiusproxy,dc=ipa,dc=example
|
||||
aci: (targetattr = "cn || createtimestamp || description || entryusn || ipatokenradiusretries || ipatokenradiusserver || ipatokenradiustimeout || ipatokenusermapattribute || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipatokenradiusconfiguration)")(version 3.0;acl "permission:System: Read Radius Servers";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Radius Servers,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
||||
dn: cn=Realm Domains,cn=ipa,cn=etc,dc=ipa,dc=example
|
||||
aci: (targetattr = "associateddomain")(targetfilter = "(objectclass=domainrelatedobject)")(version 3.0;acl "permission:System: Modify Realm Domains";allow (write) groupdn = "ldap:///cn=System: Modify Realm Domains,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
||||
dn: cn=Realm Domains,cn=ipa,cn=etc,dc=ipa,dc=example
|
||||
|
@ -29,6 +29,7 @@ from ipalib import errors
|
||||
from ipalib.plugable import Registry
|
||||
from ipalib.util import validate_hostname, validate_ipaddr
|
||||
from ipalib.errors import ValidationError
|
||||
from ipapython.dn import DN
|
||||
import re
|
||||
|
||||
__doc__ = _("""
|
||||
@ -147,6 +148,24 @@ class radiusproxy(LDAPObject):
|
||||
),
|
||||
)
|
||||
|
||||
managed_permissions = {
|
||||
'System: Read Radius Servers': {
|
||||
'replaces_global_anonymous_aci': True,
|
||||
'ipapermright': {'read', 'search', 'compare'},
|
||||
'ipapermdefaultattr': {
|
||||
'cn', 'objectclass', 'ipatokenradiusserver', 'description',
|
||||
'ipatokenradiustimeout', 'ipatokenradiusretries',
|
||||
'ipatokenusermapattribute'
|
||||
},
|
||||
'ipapermlocation': DN(container_dn, api.env.basedn),
|
||||
'ipapermtargetfilter': {
|
||||
'(objectclass=ipatokenradiusconfiguration)'},
|
||||
'default_privileges': {
|
||||
'User Administrators',
|
||||
'Stage User Administrators'},
|
||||
}
|
||||
}
|
||||
|
||||
@register()
|
||||
class radiusproxy_add(LDAPCreate):
|
||||
__doc__ = _('Add a new RADIUS proxy server.')
|
||||
|
Loading…
Reference in New Issue
Block a user