[Freeipa-devel] [PATCH] 719 permission for cn=ipaconfig
Rob Crittenden
rcritten at redhat.com
Mon Feb 14 14:28:01 UTC 2011
Jan Zelený wrote:
> Rob Crittenden<rcritten at redhat.com> wrote:
>> Add permission and privilege for updating the IPA configuration in
>> cn=ipaconfig.
>>
>> ticket 950
>>
>> rob
>
> I'm not quite sure how does the patch work. In particular, I wonder about
> these two blocks:
>
> +dn: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX
> +default:objectClass: top
> +default:objectClass: groupofnames
> +default:objectClass: nestedgroup
> +default:cn: Write IPA Configuration
> +
> +dn: cn=Write IPA Configuration,cn=permissions,cn=pbac,$SUFFIX
> +default:objectClass: top
> +default:objectClass: groupofnames
> +default:objectClass: ipapermission
> +default:cn: Write IPA Configuration
> +default:member: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX
>
> Can't they be specified in one block like:
>
> +dn: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX
> +default:objectClass: top
> +default:objectClass: groupofnames
> +default:objectClass: nestedgroup
> +default:objectClass: ipapermission
> +default:cn: Write IPA Configuration
> +default:member: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX
>
> Thanks in advance
>
> Otherwise the patch looks good, so if this is not an issue, I give it ACK.
>
> Jan
Yeah, I know it's redundant looking but these need to be 2 separate records.
Privileges are for the most part a 1-1 relationship to permissions but
not always. We wanted to have this intermediate object to make things
easier for the end-user when assigning them to roles.
rob
More information about the Freeipa-devel
mailing list