[Freeipa-devel] [PATCH] 52 Disallow deletion of global password policy
Rob Crittenden
rcritten at redhat.com
Tue Oct 11 13:19:56 UTC 2011
Jan Cholasta wrote:
> Don't allow "ipa pwpolicy-del global_policy".
>
> https://fedorahosted.org/freeipa/ticket/1936
Can you add a unit test case for this? Then ack.
>
> Questions:
>
> Is it possible to disallow deletion of specific objects on LDAP level
> instead?
Well, that would be ideal in some cases. We'd need to write a plugin to
intercept changes and have it compare it to a list of "no deletes". You
can file an RFE if you want, this might be handy to have.
>
> The default HBAC rule, allow_all, can also be deleted - should it be
> disallowed too?
This is one we want to be removable. Before we had this the default HBAC
stance was "nobody can log in" and it was jarring to most folks.
It is possible to install without this rule using the option --no_hbac_allow
rob
More information about the Freeipa-devel
mailing list