[Freeipa-devel] [PATCH] 0590 Allow read access to masters, but not their services, to auth'd users
Petr Viktorin
pviktori at redhat.com
Thu Jun 19 13:59:45 UTC 2014
On 06/19/2014 02:19 PM, Martin Kosek wrote:
> On 06/19/2014 01:39 PM, Petr Viktorin wrote:
>> See commit message.
>>
>> This was found in the review of host write permissions (my patches 0578-0579).
>
> Wouldn't it be better to filter based on objectclass? I.e.:
>
> (targetfilter="(!(objectclass=ipaConfigObject))"
>
> instead of DN based target filter? It seems to me that it is more resilient to
> changes in LDAP structure, in case we change RDN or make one more level like
> (just example):
>
> cn=DNSSEC,cn=DNS,cn=ipa.master.test,...
Sure, fixed patch attached.
--
Petr³
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0590.3-Allow-read-access-to-masters-but-not-their-services-.patch
Type: text/x-patch
Size: 1969 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140619/382676bd/attachment.bin>
More information about the Freeipa-devel
mailing list