[Freeipa-devel] New ACIs for cn=etc

Martin Kosek mkosek at redhat.com
Wed Apr 23 11:13:45 UTC 2014

On 04/23/2014 01:03 PM, Petr Viktorin wrote:
> On 04/14/2014 12:55 PM, Martin Kosek wrote:
> [...]
>> dn: cn=masters,cn=ipa,cn=etc,SUFFIX
>> - ADD aci allowing reading hosts (to have it separate from global cn=etc one so
>> that we can once assign it only to ipamasters hostgroup for example)
> We don't have an ipamasters hostgroup. Should we?

We do not have it currently, but AFAIK Honza planned (or even had patches?) to
add it in his CA management utility effort. Honza, is that correct?

Until this hostgroup is ready (and managed), I think we can have an ACI to
allow read access to all authenticated users.

OR, we may chose not have an ACI at all given that utilities (ipactl,
ipa-replica-manage, ipa-replica-install) operating with cn=masters bind as DM
(either via password or with External bind) and i.e. should not need the ACI.


More information about the Freeipa-devel mailing list