[Freeipa-devel] [PATCHES] 0534-0535 Add several managed read permissions under cn=etc
Simo Sorce
ssorce at redhat.com
Thu Apr 24 12:24:49 UTC 2014
On Thu, 2014-04-24 at 13:53 +0200, Martin Kosek wrote:
> On 04/23/2014 02:48 PM, Simo Sorce wrote:
> > On Wed, 2014-04-23 at 13:42 +0200, Petr Viktorin wrote:
> >> This adds managed read permissions to cn=etc. Since these permissions
> >> are not bound to objects, the first patch adds support for those.
> >> They're defined in the update plugin.
> >>
> >> The second patch adds permissions for various subtrees/entries in
> >> cn=etc, according to the [discussion thread].
> >>
> >> I wonder if we should limit the attributes in cn=replication; are all
> >> nsds5replica attrs needed?
> >
> > Nope, IIRC we use this object exclusively to set the next available
> > replica id.
> >
> >> For cn=ad,cn=etc I put the permission in cn=etc and used a target,
> >> since
> >> cn=ad is not present by default.
> >>
> > ok.
>
> 534 - ACK.
>
> 535:
>
> System: Read IPA Masters - ACK
>
> System: Read DNA Configuration - ACK
>
> System: Read CA Renewal Information - ACK
> - I tested with "getcert resubmit -i $ID_OF_AUDITCERT"
>
> System: Read CA Certificate - should be OK
> - currently we need just cn,objectclass,cACertificate, but we may allow others
> for future use
>
> System: Read Replication Information - changes needed?
> - currently, we need/use just cn,objectclass,nsds5replicaid,nsds5replicaroot
> - I am thinking we may be fine with allowing just those. Simo, what's your take
> on this?
Should be fine, hopefully we will soon overhaul the replication stuff to
expose the topology and all, so I am not overly concerned.
> System: Read AD Domains - ACK
Simo.
More information about the Freeipa-devel
mailing list