[Freeipa-devel] [PATCH] 0590 Allow read access to masters, but not their services, to auth'd users
Martin Kosek
mkosek at redhat.com
Thu Jun 19 14:50:49 UTC 2014
On 06/19/2014 03:59 PM, Petr Viktorin wrote:
> On 06/19/2014 02:19 PM, Martin Kosek wrote:
>> On 06/19/2014 01:39 PM, Petr Viktorin wrote:
>>> See commit message.
>>>
>>> This was found in the review of host write permissions (my patches 0578-0579).
>>
>> Wouldn't it be better to filter based on objectclass? I.e.:
>>
>> (targetfilter="(!(objectclass=ipaConfigObject))"
>>
>> instead of DN based target filter? It seems to me that it is more resilient to
>> changes in LDAP structure, in case we change RDN or make one more level like
>> (just example):
>>
>> cn=DNSSEC,cn=DNS,cn=ipa.master.test,...
>
> Sure, fixed patch attached.
/me sighs. I took the information for granted and I did not read the ACI
carefully and did not notice you sent wrong patch which I pushed... Could we
please fix the filter and remove the target part now?
Thanks,
Martin
More information about the Freeipa-devel
mailing list