[Freeipa-devel] New ACIs for cn=etc

Petr Viktorin pviktori at redhat.com
Thu Apr 17 10:21:06 UTC 2014


On 04/16/2014 03:04 PM, Simo Sorce wrote:
> On Wed, 2014-04-16 at 15:00 +0200, Petr Viktorin wrote:
>>>> Simo, Rob, would you be OK with changing virtual operation
>> objectclass to our
>>>> own one to have a better control over it?
>>>
>>> No, in general I am not ok to change objects that already exist in
>> IPA
>>> as it make upgrades with new and old replicas break the old
>> replicas.
>>>
>>> Also we can add new auxiliray classes but removing structural
>> classes is
>>> not possible, you would have to delete and recreate the object, and
>> that
>>> would be racy too.
>>
>> I see.
>> How about adding a new objectClass in addition to nsContainer, and
>> using
>> a negative targetfilter?
>>
> I have no objection to that, but should be last resort if we have no
> other way IMO, and valid only for objects that are not normally created
> on a daily basis, as old replicas creating new objects would not know to
> add the new objectclass.
> In this case it seem like we should be ok as we do not commonly create
> these objects, so the chances an old replica creates them are
> negligible.
>
> Simo.
>

Alright. I've reserved 2.16.840.1.113730.3.8.12.23 for a new 
ipaVirtualOperation objectclass. Let me know if I should use a different 
one.

-- 
Petr³




More information about the Freeipa-devel mailing list