[Freeipa-devel] [PATCHES] 0534-0535 Add several managed read permissions under cn=etc

Martin Kosek mkosek at redhat.com
Thu Apr 24 11:53:29 UTC 2014

On 04/23/2014 02:48 PM, Simo Sorce wrote:
> On Wed, 2014-04-23 at 13:42 +0200, Petr Viktorin wrote:
>> This adds managed read permissions to cn=etc. Since these permissions 
>> are not bound to objects, the first patch adds support for those. 
>> They're defined in the update plugin.
>> The second patch adds permissions for various subtrees/entries in 
>> cn=etc, according to the [discussion thread].
>> I wonder if we should limit the attributes in cn=replication; are all 
>> nsds5replica attrs needed?
> Nope, IIRC we use this object exclusively to set the next available
> replica id.
>> For cn=ad,cn=etc I put the permission in cn=etc and used a target,
>> since 
>> cn=ad is not present by default.
> ok.

534 - ACK.


System: Read IPA Masters - ACK

System: Read DNA Configuration - ACK

System: Read CA Renewal Information - ACK
- I tested with "getcert resubmit -i $ID_OF_AUDITCERT"

System: Read CA Certificate - should be OK
- currently we need just cn,objectclass,cACertificate, but we may allow others
for future use

System: Read Replication Information - changes needed?
- currently, we need/use just cn,objectclass,nsds5replicaid,nsds5replicaroot
- I am thinking we may be fine with allowing just those. Simo, what's your take
on this?

System: Read AD Domains - ACK


More information about the Freeipa-devel mailing list