[Freeipa-devel] [PATCHES] 0534-0535 Add several managed read permissions under cn=etc
Martin Kosek
mkosek at redhat.com
Thu Apr 24 11:53:29 UTC 2014
On 04/23/2014 02:48 PM, Simo Sorce wrote:
> On Wed, 2014-04-23 at 13:42 +0200, Petr Viktorin wrote:
>> This adds managed read permissions to cn=etc. Since these permissions
>> are not bound to objects, the first patch adds support for those.
>> They're defined in the update plugin.
>>
>> The second patch adds permissions for various subtrees/entries in
>> cn=etc, according to the [discussion thread].
>>
>> I wonder if we should limit the attributes in cn=replication; are all
>> nsds5replica attrs needed?
>
> Nope, IIRC we use this object exclusively to set the next available
> replica id.
>
>> For cn=ad,cn=etc I put the permission in cn=etc and used a target,
>> since
>> cn=ad is not present by default.
>>
> ok.
534 - ACK.
535:
System: Read IPA Masters - ACK
System: Read DNA Configuration - ACK
System: Read CA Renewal Information - ACK
- I tested with "getcert resubmit -i $ID_OF_AUDITCERT"
System: Read CA Certificate - should be OK
- currently we need just cn,objectclass,cACertificate, but we may allow others
for future use
System: Read Replication Information - changes needed?
- currently, we need/use just cn,objectclass,nsds5replicaid,nsds5replicaroot
- I am thinking we may be fine with allowing just those. Simo, what's your take
on this?
System: Read AD Domains - ACK
Martin
More information about the Freeipa-devel
mailing list