[Freeipa-devel] [PATCH] 0590 Allow read access to masters, but not their services, to auth'd users
Martin Kosek
mkosek at redhat.com
Thu Jun 19 12:19:04 UTC 2014
On 06/19/2014 01:39 PM, Petr Viktorin wrote:
> See commit message.
>
> This was found in the review of host write permissions (my patches 0578-0579).
Wouldn't it be better to filter based on objectclass? I.e.:
(targetfilter="(!(objectclass=ipaConfigObject))"
instead of DN based target filter? It seems to me that it is more resilient to
changes in LDAP structure, in case we change RDN or make one more level like
(just example):
cn=DNSSEC,cn=DNS,cn=ipa.master.test,...
Martin
More information about the Freeipa-devel
mailing list