[Freeipa-devel] [PATCH] command-line delegation
Rob Crittenden
rcritten at redhat.com
Thu Oct 25 15:49:50 UTC 2007
Simo Sorce wrote:
> On Thu, 2007-10-25 at 08:26 -0700, Kevin McCarthy wrote:
>> Simo Sorce wrote:
>>> On Wed, 2007-10-24 at 13:01 -0400, Rob Crittenden wrote:
>>>> Kevin McCarthy wrote:
>>>>> Rob Crittenden wrote:
>>>>>> A quartet of commands to manage delegations from the command-line (man
>>>>>> pages thrown in for free).
>>>>> First general comment. Right now the webgui is not enforcing a unique
>>>>> 'name' field. This isn't a bad idea - I just haven't implemented such
>>>>> an enforcment in the code.
>>>>>
>>>>> If people agree using the name as an identifier is fine, then we should
>>>>> add enforcement to the gui too. (and then perhaps we can use the name
>>>>> instead of the entire acistr to identity an individual aci)
>>>> The only other way to do it on the CLI would have the user paste in the
>>>> entire value of the ACI. I don't think there is another way if we want a
>>>> CLI equivalent.
>>> ACIs include a comment field.
>>> Is there a reason why we shouldn't use it as the ACI name ?
>> Yeah, actually we are referring to the comment field. I've just called
>> it 'name' in the ACI data structure.
>>
>> The issue is that there is not uniqueness contraint on the comment
>> (name) field in LDAP. Nor does the web gui enforce that (although it
>> can be changed to do so).
>
> We should enforce it at creation time of course.
> We shouldn't barf though on modification.
>
> We need to document this for admins so that they don't do stupid things
> like creating a bunch of ACIs in the same object with the same comment
>
> I think it is ok to have the same "name" on different objects though and
> define the FQDN of an ACI as name/dn
>
>
That's easy then because all ACI's are currently going into the same
location on the tree: cn=accounts.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071025/4879a1f9/attachment.bin>
More information about the Freeipa-devel
mailing list