[Freeipa-devel] [PATCH] UUID Plugin: add "enforce" option
Rob Crittenden
rcritten at redhat.com
Thu Oct 28 02:26:53 UTC 2010
Simo Sorce wrote:
>
> When the ipaUuidEnforce option is set to TRUE only the Directory
> Manager is allowed to set arbitrary values. Any attempt to set
> values != the ipaUuidGenerate value by non DirMgr users will throw an
> error.
>
> This is useful to enforce UUIDs are always set by the server.
>
> At this moment normal users are still allowed to modify the value so
> that the uuid is regenerated (and therefore changed, although not with
> arbitrary values). If modifications are unwanted I guess we can easily
> add an ACI that allow someone to add the attribute but mot modify it
> afterwards.
>
> Currently the install code does not yet set the plugin into enforcing
> mode as that would break all ipa tools, tomorrow I plan to go through
> the framework code and rip off the uuid stuff and finally change the
> default to enforcing for the ipaUniqueID attribute once all client code
> is converted to always set only "0" on creation.
>
> Simo.
>
Ack.
I think we still have some acis controlling access to ipauniqueid. I
think we can remove them and save a few cycles in the DS aci subsystem.
rob
More information about the Freeipa-devel
mailing list