[Freeipa-devel] New ACIs for cn=etc

Petr Viktorin pviktori at redhat.com
Wed Apr 23 12:38:29 UTC 2014

On 04/23/2014 01:42 PM, Jan Cholasta wrote:
> On 23.4.2014 13:13, Martin Kosek wrote:
>> On 04/23/2014 01:03 PM, Petr Viktorin wrote:
>>> On 04/14/2014 12:55 PM, Martin Kosek wrote:
>>> [...]
>>>> dn: cn=masters,cn=ipa,cn=etc,SUFFIX
>>>> - ADD aci allowing reading hosts (to have it separate from global
>>>> cn=etc one so
>>>> that we can once assign it only to ipamasters hostgroup for example)
>>> We don't have an ipamasters hostgroup. Should we?
>> We do not have it currently, but AFAIK Honza planned (or even had
>> patches?) to
>> add it in his CA management utility effort. Honza, is that correct?
> It would certainly make things prettier. I don't have any patches, but
> there is a ticket for that: <https://fedorahosted.org/freeipa/ticket/3416>.

Sounds like the best way to do this. I've moved the ticket to Needs triage.

>> Until this hostgroup is ready (and managed), I think we can have an
>> ACI to
>> allow read access to all authenticated users.
>> OR, we may chose not have an ACI at all given that utilities (ipactl,
>> ipa-replica-manage, ipa-replica-install) operating with cn=masters
>> bind as DM
>> (either via password or with External bind) and i.e. should not need
>> the ACI.
> Renewal scripts need access to cn=masters and bind as host.


More information about the Freeipa-devel mailing list