[Freeipa-devel] New ACIs for cn=etc
Simo Sorce
ssorce at redhat.com
Wed Apr 16 13:04:43 UTC 2014
On Wed, 2014-04-16 at 15:00 +0200, Petr Viktorin wrote:
> >> Simo, Rob, would you be OK with changing virtual operation
> objectclass to our
> >> own one to have a better control over it?
> >
> > No, in general I am not ok to change objects that already exist in
> IPA
> > as it make upgrades with new and old replicas break the old
> replicas.
> >
> > Also we can add new auxiliray classes but removing structural
> classes is
> > not possible, you would have to delete and recreate the object, and
> that
> > would be racy too.
>
> I see.
> How about adding a new objectClass in addition to nsContainer, and
> using
> a negative targetfilter?
>
I have no objection to that, but should be last resort if we have no
other way IMO, and valid only for objects that are not normally created
on a daily basis, as old replicas creating new objects would not know to
add the new objectclass.
In this case it seem like we should be ok as we do not commonly create
these objects, so the chances an old replica creates them are
negligible.
Simo.
More information about the Freeipa-devel
mailing list