[Freeipa-devel] [PATCH] move replication topology to shared tree
Martin Kosek
mkosek at redhat.com
Mon Oct 13 06:19:12 UTC 2014
On 10/10/2014 06:44 PM, Simo Sorce wrote:
> On Fri, 10 Oct 2014 18:38:36 +0200
> Ludwig Krispenz <lkrispen at redhat.com> wrote:
>
>>
>> On 10/10/2014 06:30 PM, James wrote:
>>> On 10 October 2014 12:21, Simo Sorce <simo at redhat.com> wrote:
>>>
>>>
>>>> First thing, I do not think we want a new command here.
>>>> If we need commands outside of the ipa framework they should be
>>>> integrated in the ipa-replica-manage tool.
>>>> But really one of the reasons to move data in the shared tree was
>>>> that we could grow native framework command to handle the topology
>>>> so we can manage the topology directly from the UI.
>>>> So I am not happy with ipa-tology-manage
>>> I agree here... I think the current interface of ipa-replica-manage
>>> is fine, however the need to copy the credentials around and the
>>> need for a password are the problem. In fact, I particularly like
>>> the current interface, and puppet-ipa has already wrapped this
>>> successfully. In other words, the design checks out. Good job IPA
>>> team.
>>>
>>>> All management should happen in the shared tree, moving to be able
>>>> to avoid directly touching cn=config and avoid the need for DM
>>>> password is one of the main reasons to do this work ...
>> I'll comment later on Simmo's other comments, but I need access to
>> cn=config for two reasons,
>> - I need to know if the plugin is deployed and enabled
>
> Let's expose something in rootDSE then, that's the "standard" way to
> do this (though it is unnecessary, if the shared tree is present you
> already know it is available).
+1, for the plugin enabled/disabled status. However, in case you really need to
let admin or other privileged person to look in specified part of cn=config,
this can be done with standard permissions. We already have for example
permission for reading replication agreements:
dn: cn=config
aci: (targetattr = "cn || createtimestamp || description || entryusn ||
modifytimestamp || nsds50ruv || nsds5beginreplicarefresh ||
nsds5debugreplicatimeout || nsds5flags || nsds5replicaabortcleanruv || ...
winsyncsubtreepair || winsyncwindowsfilter")(targetfilter =
"(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version
3.0;acl "permission:System: Read Replication Agreements"; allow
(compare,read,search) groupdn = "ldap:///cn=System: Read Replication
Agreements,cn=permissions, cn=pbac,dc=ipa,dc=example";)
Martin
More information about the Freeipa-devel
mailing list