[Freeipa-devel] [PATCH] 0590 Allow read access to masters, but not their services, to auth'd users
Martin Kosek
mkosek at redhat.com
Thu Jun 19 15:16:31 UTC 2014
On 06/19/2014 05:11 PM, Petr Viktorin wrote:
> On 06/19/2014 04:50 PM, Martin Kosek wrote:
>> On 06/19/2014 03:59 PM, Petr Viktorin wrote:
>>> On 06/19/2014 02:19 PM, Martin Kosek wrote:
>>>> On 06/19/2014 01:39 PM, Petr Viktorin wrote:
>>>>> See commit message.
>>>>>
>>>>> This was found in the review of host write permissions (my patches
>>>>> 0578-0579).
>>>>
>>>> Wouldn't it be better to filter based on objectclass? I.e.:
>>>>
>>>> (targetfilter="(!(objectclass=ipaConfigObject))"
>>>>
>>>> instead of DN based target filter? It seems to me that it is more resilient to
>>>> changes in LDAP structure, in case we change RDN or make one more level like
>>>> (just example):
>>>>
>>>> cn=DNSSEC,cn=DNS,cn=ipa.master.test,...
>>>
>>> Sure, fixed patch attached.
>>
>> /me sighs. I took the information for granted and I did not read the ACI
>> carefully and did not notice you sent wrong patch which I pushed... Could we
>> please fix the filter and remove the target part now?
>>
>> Thanks,
>> Martin
>
> Sorry for that :(
> Here is a fix patch.
Thanks. ACK, pushed (both) to master.
Martin
More information about the Freeipa-devel
mailing list