[Freeipa-devel] [freeipa] #6002: Default CA can be used without an ACL
Fraser Tweedale
ftweedal at redhat.com
Mon Jul 4 07:06:16 UTC 2016
On Tue, Jun 28, 2016 at 01:47:23PM -0000, freeipa wrote:
> #6002: Default CA can be used without an ACL
>
> Comment (by ftweedal):
>
> This is expected behaviour; if a CA ACL does not reference any CAs,
> and does not have cacat=all, then it is assumed to refer to the
> default CA. This is for backwards compatibility with existing
> CA ACLs, which do not reference any CAs but did (and still do)
> allow access to IPA CA.
>
> Leaving open for discussion about whether to break compatibility
> for a more consistent behaviour.
>
Didn't get any feedback in the ticket yet so raising on list for
visibility. If people agree with current behaviour I can add a
clarification to caacl plugin help text and close out this ticket.
Thanks,
Fraser
More information about the Freeipa-devel
mailing list