[Freeipa-devel] [PATCH] 0590 Allow read access to masters, but not their services, to auth'd users

[Martin Kosek]

On 06/19/2014 01:39 PM, Petr Viktorin wrote:
> See commit message.
> 
> This was found in the review of host write permissions (my patches 0578-0579).

Wouldn't it be better to filter based on objectclass? I.e.:

(targetfilter="(!(objectclass=ipaConfigObject))"

instead of DN based target filter? It seems to me that it is more resilient to
changes in LDAP structure, in case we change RDN or make one more level like
(just example):

cn=DNSSEC,cn=DNS,cn=ipa.master.test,...

Martin