[Freeipa-devel] patch to add krb instance init
Pete Rowley
prowley at redhat.com
Fri Jun 29 17:44:46 UTC 2007
Simo Sorce wrote:
> The patch contains also a few clean ups.
>
> If there are no objections I'll do an hg push to commit this stuff to
> the main repo, sometimes around 2pm-4pm
>
>
Looks good, some comments below.
> Default DIT is not yet finalized, I'd like comments on that.
I actually don't like the "default" thing. We should probably discuss
the purpose of that and how it would work - it is obviously anticipatory
so we need to work through what it is anticipating.
>
> diff -r daf5da216c98 ipa-install/share/default-aci.ldif
> --- /dev/null Thu Jan 01 00:00:00 1970 +0000
> +++ b/ipa-install/share/default-aci.ldif Thu Jun 28 17:23:26 2007 -0400
> @@ -0,0 +1,8 @@
> +# $SUFFIX (base entry)
> +dn: $SUFFIX
> +changetype: modify
> +replace: aci
> +aci: (targetattr!="userPassword || krbPrincipalKey ||sambaLMPassword || sambaNTPassword")(version 3.0; acl "Enable anonymous access"; allow (read, search, compare)userdn="ldap:///anyone";)
>
This aci should specify the attributes that anonymous can read, search,
compare, rather than specifying those anonymous cannot otherwise it is
very easy to accidentally allow access to sensitive information. We
should identify the set of attributes that are probably common "anon"
access attributes and set up the aci for that.
--
Pete
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3241 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20070629/3a794454/attachment.bin>
More information about the Freeipa-devel
mailing list