[Freeipa-devel] New ACIs for cn=etc

Petr Viktorin pviktori at redhat.com
Thu Apr 17 10:21:06 UTC 2014

On 04/16/2014 03:04 PM, Simo Sorce wrote:
> On Wed, 2014-04-16 at 15:00 +0200, Petr Viktorin wrote:
>>>> Simo, Rob, would you be OK with changing virtual operation
>> objectclass to our
>>>> own one to have a better control over it?
>>> No, in general I am not ok to change objects that already exist in
>> IPA
>>> as it make upgrades with new and old replicas break the old
>> replicas.
>>> Also we can add new auxiliray classes but removing structural
>> classes is
>>> not possible, you would have to delete and recreate the object, and
>> that
>>> would be racy too.
>> I see.
>> How about adding a new objectClass in addition to nsContainer, and
>> using
>> a negative targetfilter?
> I have no objection to that, but should be last resort if we have no
> other way IMO, and valid only for objects that are not normally created
> on a daily basis, as old replicas creating new objects would not know to
> add the new objectclass.
> In this case it seem like we should be ok as we do not commonly create
> these objects, so the chances an old replica creates them are
> negligible.
> Simo.

Alright. I've reserved 2.16.840.1.113730. for a new 
ipaVirtualOperation objectclass. Let me know if I should use a different 


More information about the Freeipa-devel mailing list