[Freeipa-devel] [PATCH] 719 permission for cn=ipaconfig
Rob Crittenden
rcritten at redhat.com
Mon Feb 14 15:23:08 UTC 2011
Jan Zelený wrote:
> Martin Kosek<mkosek at redhat.com> wrote:
>> On Mon, 2011-02-14 at 14:37 +0100, Jan Zelený wrote:
>>> Rob Crittenden<rcritten at redhat.com> wrote:
>>>> Add permission and privilege for updating the IPA configuration in
>>>> cn=ipaconfig.
>>>>
>>>> ticket 950
>>>>
>>>> rob
>>>
>>> I'm not quite sure how does the patch work. In particular, I wonder about
>>> these two blocks:
>>>
>>> +dn: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX
>>> +default:objectClass: top
>>> +default:objectClass: groupofnames
>>> +default:objectClass: nestedgroup
>>> +default:cn: Write IPA Configuration
>>> +
>>> +dn: cn=Write IPA Configuration,cn=permissions,cn=pbac,$SUFFIX
>>> +default:objectClass: top
>>> +default:objectClass: groupofnames
>>> +default:objectClass: ipapermission
>>> +default:cn: Write IPA Configuration
>>> +default:member: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX
>>>
>>> Can't they be specified in one block like:
>>>
>>> +dn: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX
>>> +default:objectClass: top
>>> +default:objectClass: groupofnames
>>> +default:objectClass: nestedgroup
>>> +default:objectClass: ipapermission
>>> +default:cn: Write IPA Configuration
>>> +default:member: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX
>>>
>>> Thanks in advance
>>>
>>> Otherwise the patch looks good, so if this is not an issue, I give it
>>> ACK.
>>>
>>> Jan
>>
>> I think this is OK. We are adding 2 objects - one permission called
>> "Write IPA Configuration" (with an underlying ACI) and one priviledge
>> also called "Write IPA Configuration". Therefore they cannot be merged
>> to one LDAP object.
>
>
> Oh, sorry, I didn't see that one object is privilege and another one is
> permission.
>
> Jan
pushed to master
More information about the Freeipa-devel
mailing list