[Freeipa-devel] [PATCHES] 0534-0535 Add several managed read permissions under cn=etc
mkosek at redhat.com
Thu Apr 24 12:43:54 UTC 2014
On 04/24/2014 02:24 PM, Simo Sorce wrote:
> On Thu, 2014-04-24 at 13:53 +0200, Martin Kosek wrote:
>> On 04/23/2014 02:48 PM, Simo Sorce wrote:
>>> On Wed, 2014-04-23 at 13:42 +0200, Petr Viktorin wrote:
>>>> This adds managed read permissions to cn=etc. Since these permissions
>>>> are not bound to objects, the first patch adds support for those.
>>>> They're defined in the update plugin.
>>>> The second patch adds permissions for various subtrees/entries in
>>>> cn=etc, according to the [discussion thread].
>>>> I wonder if we should limit the attributes in cn=replication; are all
>>>> nsds5replica attrs needed?
>>> Nope, IIRC we use this object exclusively to set the next available
>>> replica id.
>>>> For cn=ad,cn=etc I put the permission in cn=etc and used a target,
>>>> cn=ad is not present by default.
>> 534 - ACK.
>> System: Read IPA Masters - ACK
>> System: Read DNA Configuration - ACK
>> System: Read CA Renewal Information - ACK
>> - I tested with "getcert resubmit -i $ID_OF_AUDITCERT"
>> System: Read CA Certificate - should be OK
>> - currently we need just cn,objectclass,cACertificate, but we may allow others
>> for future use
>> System: Read Replication Information - changes needed?
>> - currently, we need/use just cn,objectclass,nsds5replicaid,nsds5replicaroot
>> - I am thinking we may be fine with allowing just those. Simo, what's your take
>> on this?
> Should be fine, hopefully we will soon overhaul the replication stuff to
> expose the topology and all, so I am not overly concerned.
>> System: Read AD Domains - ACK
Ok, thanks. It is an ACK as the "System: Read Replication Information" was the
only one I was concerned about.
Pushed to master: d893b77fb69ef2e0aedf823e7cd82ca86a2971af
More information about the Freeipa-devel