On Fri, 2013-12-20 at 17:31 -0500, Nathaniel McCallum wrote: > I'm working on this project: http://www.freeipa.org/page/V3/OTP > > Users need to be able to create, edit and delete their own tokens. Each > token has an attribute: ipatokenOwner. > > I attempted creating this ACL: (target = > "ldap:///ipatokenuniqueid=*,cn=otp,dc=example,dc=com";)(targetfilter = > "(objectClass=ipaToken)")(version 3.0; acl "token-add-delete"; allow > (add, delete) userattr = "ipatokenOwner#USERDN";) > > After much debugging I found out this is impossible because of this: > https://git.fedorahosted.org/cgit/389/ds.git/tree/ldap/servers/plugins/acl/acllas.c#n1282 > > Now, in the general case, I can very much understand why this shouldn't > be allowed by default. What alternatives are there with the current > code? Would 389DS be willing to accept a patch to enable this (with a > I_KNOW_WHAT_I_AM_DOING flag)? > > The general reason why this feature works in my case is that each object > created restricts the user, rather than granting new privileges. This > seems like a valid use case. I really appreciate the quick fix for this (a9cd4e78f1fd1af5de06aca46c8c10ed70bbe4e1)! Any idea when this will be available in a release and/or Fedora Rawhide? Nathaniel -- 389-devel mailing list 389-devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-devel
