[Freeipa-devel] New ACIs for cn=etc

Jan Cholasta jcholast at redhat.com
Wed Apr 23 11:42:52 UTC 2014

On 23.4.2014 13:13, Martin Kosek wrote:
> On 04/23/2014 01:03 PM, Petr Viktorin wrote:
>> On 04/14/2014 12:55 PM, Martin Kosek wrote:
>> [...]
>>> dn: cn=masters,cn=ipa,cn=etc,SUFFIX
>>> - ADD aci allowing reading hosts (to have it separate from global cn=etc one so
>>> that we can once assign it only to ipamasters hostgroup for example)
>> We don't have an ipamasters hostgroup. Should we?
> We do not have it currently, but AFAIK Honza planned (or even had patches?) to
> add it in his CA management utility effort. Honza, is that correct?

It would certainly make things prettier. I don't have any patches, but 
there is a ticket for that: <https://fedorahosted.org/freeipa/ticket/3416>.

> Until this hostgroup is ready (and managed), I think we can have an ACI to
> allow read access to all authenticated users.
> OR, we may chose not have an ACI at all given that utilities (ipactl,
> ipa-replica-manage, ipa-replica-install) operating with cn=masters bind as DM
> (either via password or with External bind) and i.e. should not need the ACI.

Renewal scripts need access to cn=masters and bind as host.

> Martin

Jan Cholasta

More information about the Freeipa-devel mailing list